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Abstract 

We present a new technique for verifying correspondences in security proto- 
cols. In particular, correspondences can be used to formalize authentication. Our 
technique is fully automatic, it can handle an unbounded number of sessions of the 
protocol, and it is efficient in practice. It significantly extends a previous technique 
for the verification of secrecy. The protocol is represented in an extension of the 
pi calculus with fairly arbitrary cryptographic primitives. This protocol represen- 
tation includes the specification of the correspondence to be verified, but no other 
annotation. This representation is then translated into an abstract representation by 
Horn clauses, which is used to prove the desired correspondence. Our technique 
has been proved correct and implemented. We have tested it on various proto- 
cols from the literature. The experimental results show that these protocols can be 
verified by our technique in less than 1 s. 



1 Introduction 

The verification of security protocols has already been the subject of numerous re- 
search works. It is particularly important since the design of protocols is error-prone, 
and errors cannot be detected by testing, since they appear only in the presence of a 
malicious adversary. An important trend in this area aims to verify protocols in the 
so-called Dolev-Yao model [39], with an unbounded number of sessions, while relying 
as little as possible on human intervention. While protocol insecurity is NP-complete 
for a bounded number of sessions [65], it is undecidable for an unbounded number 
of sessions [41]. Hence, automatic verification for an unbounded number of sessions 
cannot be achieved for all protocols. It is typically achieved using language-based tech- 
niques such as typing or abstract interpretation, which can handle infinite-state systems 
thanks to safe approximations. These techniques are not complete (a correct protocol 
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can fail to typecheck, or false attacks can be found by abstract interpretation tools), but 
they are sound (when they do not find attacks, the protocol is guaranteed to satisfy the 
considered property). This is important for the certification of protocols. 

Our goal in this paper is to extend previous work in this line of research by pro- 
viding a fully automatic technique for verifying correspondences in security protocols, 
without bounding the number of sessions of the protocol. Correspondences are prop- 
erties of the form: if the protocol executes some event, then it must have executed 
some other events before 1 . We consider a rich language of correspondences, in which 
the events that must have been executed can be described by a logical formula con- 
taining conjunctions and disjunctions. Furthermore, we consider both non-injective 
correspondences (if the protocol executes some event, then it must have executed some 
other events at least once) and injective correspondences (if the protocol executes some 
event n times, then it must have executed some other events at least n times). Corre- 
spondences, initially named correspondence assertions [71], and the similar notion of 
agreement [54] were first introduced to model authentication. Intuitively, a protocol 
authenticates A to B if, when B thinks he talks to A, then he actually talks to A. 
When B thinks he has run the protocol with A, he executes an event e(A, B). When 
A thinks she runs the protocol with B, she executes another event e'(A, B). Authen- 
tication is satisfied when, if B executes his event e(A, B), then A has executed her 
event e'(A, B). Several variants along this scheme appear in the literature and, as we 
show below, our technique can handle most of them. Our correspondences can also 
encode secrecy, as follows. A protocol preserves the secrecy of some value M when 
the adversary cannot obtain M. We associate an "event" attacker(M) to the fact that 
the adversary obtains M, and represent the secrecy of M as "attacker(M) cannot be 
executed", that is, "if attacker(M) has been executed, then false." More complex 
properties can also be specified by our correspondences, for example that all messages 
of the protocol have been sent in order; this feature was used in [3]. 

Our technique is based on a substantial extension of a previous verification tech- 
nique for secrecy [1,13, 69]. More precisely, the protocol is represented in the process 
calculus introduced in [1], which is an extension of the pi calculus with fairly arbi- 
trary cryptographic primitives. This process calculus is extended with events, used in 
the statement of correspondences. These events are the only required annotation of 
the protocol; no annotation is needed to help the tool proving correspondences. The 
protocol is then automatically translated into a set of Horn clauses. This translation 
requires significant extensions with respect to the translation for secrecy given in [1], 
and can be seen as an implementation of a type system, as in [1]. Some of these ex- 
tensions improve the precision of the analysis, in particular to avoid merging different 
nonces. Other extensions define the translation of events. Finally, this set of Horn 
clauses is passed to a resolution-based solver, similar to that of [13, 20, 69]. Some mi- 
nor extensions of this solver are required to prove correspondences. This solver does 
not always terminate, but we show in Section 8.1 that it terminates for a large class of 
well-designed protocols, named tagged protocols. Our experiments also demonstrate 
that, in practice, it terminates on many examples of protocols. 

The main advantages of our method can be summarized as follows. It is fully auto- 
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matic; the user only has to code the protocol and the correspondences to prove. It puts 
no bounds on the number of sessions of the protocol or the size of terms that the adver- 
sary can manipulate. It can handle fairly general cryptographic primitives, including 
shared-key encryption, public-key encryption, signatures, one-way hash functions, and 
Diffie-Hellman key agreements. It relies on a precise semantic foundation. One limi- 
tation of the technique is that, in rare cases, the solving algorithm does not terminate. 
The technique is also not complete: the translation into Horn clauses introduces an ab- 
straction, which forgets the number of repetitions of each action [17]. This abstraction 
is key to the treatment of an unbounded number of sessions. Due to this abstraction, the 
tool provides sufficient conditions for proving correspondences, but can fail on correct 
protocols. Basically, it fails to prove protocols that first need to keep some value secret 
and later reveal it (see Section 5.2.2). In practice, the tool is still very precise and, in 
our experiments, it always succeeded in proving protocols that were correct. 

Our technique is implemented in the protocol verifier ProVerif, available at http : 
/ / www . proverif .ens . f r/. 

Comparison with Other Papers on ProVerif As mentioned above, this paper ex- 
tends previous work on the verification of secrecy [1] in order to prove correspon- 
dences. Secrecy (defined as the impossibility for the adversary to compute the secret) 
and correspondences are trace properties. Other papers deal with the proof of certain 
classes of observational equivalences, i.e., that the adversary cannot distinguish certain 
processes: [15, 16] deal with the proof of strong secrecy, i.e., that the adversary can- 
not see when the value of a secret changes; [18] deals with the proof of equivalences 
between processes that differ only by the terms that they contain. Moreover, [18] also 
explains how to handle cryptographic primitives defined by equational theories (instead 
of rewrite rules) and how to deal with guessing attacks against weak secrets. 

As shown in [20], the resolution algorithm terminates for tagged protocols. The 
present paper extends this result in Section 8.1, by providing a characterization of 
tagged protocols at the level of processes instead of at the level of Horn clauses. 

ProVerif can also reconstruct an attack using a derivation from the Horn clauses, 
when the proof of a secrecy property fails [6]. Although the present paper does not de- 
tail this point, this work has also been extended to the reconstruction of attacks against 
non-injective correspondences. 

Finally, [2], [3], and [19] present three case studies done at least partly using 
ProVerif: [2] studies a certified email protocol, [3] studies the Just Fast Keying pro- 
tocol, and [19] studies the Plutus secure file system. These case studies rely partly on 
the results presented in this paper. 

Related Work We mainly focus on the works that automatically verify correspon- 
dences and authentication for security protocols, without bounding the number of ses- 
sions. 

The NRL protocol analyzer [42,57], based on narrowing in rewriting systems, can 
verify correspondences defined in a rich language of logical formulae [68]. It is sound 
and complete, but does not always terminate. Our Horn clause representation is more 
abstract than the representation of NRL, which should enable us to terminate more 
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often and be more efficient, while remaining precise enough to prove most desired 
properties. 

Gordon and Jeffrey designed a system named Cryptic for verifying authentication 
by typing in security protocols [45-47]. They handle shared-key and public-key cryp- 
tography. Our system allows more general cryptographic primitives (including hash 
functions and Diffie-Hellman key agreements). Moreover, in our system, no annota- 
tion is needed, whereas, in Cryptic, explicit type casts and checks have to be manu- 
ally added. However, Cryptic has the advantage that type checking always terminates, 
whereas, in some rare cases, our analyzer does not. 

Bugliesi et al. [25] define another type system for proving authentication in security 
protocols. The main advantage of their system is that it is compositional: it allows 
one to prove independently the correctness of the code of each role of the protocol. 
However, the form of messages is restricted to certain tagged terms. This approach is 
compared with Cryptic in [24]. 

Backes et al. [10] prove secrecy and authentication for security protocols, using 
an abstract-interpretation-based analysis. This analysis builds a causal graph, which 
captures the causality among program events; the security properties are proved by 
traversing this graph. This analysis can handle an unbounded number of sessions of 
the protocol; it always terminates, at the cost of additional abstractions, which may 
cause false attacks. It handles shared-key and public -key cryptography, but not Diffie- 
Hellman key agreements. It assumes that the messages are typed, so that names can be 
distinguished from other terms. 

Bodei et al. [21] show message authentication via a control flow analysis on a 
process calculus named Lysa. Like [10], they handle shared-key and public-key cryp- 
tography, and their analysis always terminates, at the cost of additional abstractions. 
The notion of authentication they prove is different from ours: they show message 
authentication rather than entity authentication. 

Debbabi et al. [36] also verify authentication thanks to a representation of protocols 
by inference rules, very similar to our Horn clauses. However, they verify a weaker 
notion of authentication (corresponding to aliveness: if B terminates the protocol, then 
A must have been alive at some point before), and handle only shared-key encryption. 

A few other methods require little human effort, while supporting an unbounded 
number of runs: the verifier of [51], based on rank functions, can prove the correctness 
of or find attacks against protocols with atomic symmetric or asymmetric keys. Theo- 
rem proving [63] often requires manual intervention of the user. An exception to this 
is [32], but it deals only with secrecy. The theorem prover TAPS [30] often succeeds 
without or with little human intervention. 

Model checking [53, 59] in general implies a limit on the number of sessions of 
the protocol. This problem has been tackled by [22,23,64]. They recycle nonces, to 
use only a finite number of them in an infinite number of runs. The technique was 
first used for sequential runs, then generalized to parallel runs in [23], but with the 
additional restriction that the agents must be "factorisable". (Basically, a single run of 
the agent has to be split into several runs such that each run contains only one fresh 
value.) 

Strand spaces [44] are a formalism for reasoning about security protocols. They 
have been used for elegant manual proofs of authentication [49]. The automatic tool 
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Athena [66] combines model checking and theorem proving, and uses strand spaces to 
reduce the state space. Scyther [33] uses an extension of Athena's method with trace 
patterns to analyze simultaneously a group of traces. These tools still sometimes limit 
the number of sessions to guarantee termination. 

Amadio and Prasad [7] note that authentication can be translated into secrecy, by 
using a judge process. The translation is limited in that only one message can be 
registered by the judge, so the verified authentication property is not exactly the same 
as ours. 

Outline Section 2 introduces our process calculus. Section 3 defines the correspon- 
dences that we verify, including secrecy and various notions of authentication. Sec- 
tion 4 outlines the main ideas behind our technique for verifying correspondences. 
Section 5 explains the construction of Horn clauses and shows its correctness, Sec- 
tion 6 describes our solving algorithm and shows its correctness, and Section 7 applies 
these results to the proof of correspondences. Section 8 discusses the termination of 
our algorithm: it shows termination for tagged protocols and how to obtain termination 
more often in the general case. Section 9 presents some extensions to our framework. 
Section 10 gives our experimental results on a selection of security protocols of the 
literature, and Section 1 1 concludes. The proofs of our results are grouped in the ap- 
pendices. 

2 The Process Calculus 

In this section, we present the process calculus that we use to represent security proto- 
cols: we give its syntax, semantics, and illustrate it on an example protocol. 

2.1 Syntax and Informal Semantics 

Figure 1 gives the syntax of terms (data) and processes (programs) of our calculus. 
The identifiers a, b, c, k, and similar ones range over names, and x, y, and z range over 
variables. The syntax also assumes a set of symbols for constructors and destructors; 
we often use / for a constructor and g for a destructor. 

Constructors are used to build terms. Therefore, the terms are variables, names, 
and constructor applications of the form /(Mi, . . . , M„); the terms are untyped. On 
the other hand, destructors do not appear in terms, but only manipulate terms in pro- 
cesses. They are partial functions on terms that processes can apply. The process 
let x = g (Mi, . . . , M„) in P else Q tries to evaluate g (Mi, . . . , M„); if this suc- 
ceeds, then x is bound to the result and P is executed, else Q is executed. More 
precisely, the semantics of a destructor g of arity n is given by a set def (g) of rewrite 
rules of the form g(M\, . . . , M n ) — » M where Mi, . . . , M n , M are terms without 
names, and the variables of M also occur in Mi, . . . , M n . We extend these rules by 
g(M[, . . . , M' n ) — ► M' if and only if there exist a substitution a and a rewrite rule 
g{M l , . . . , Mn) -> M in dcf (g) such that M[ = oMi for alH G {1, . . . , n}, and 
M' = oM. We assume that the set def (g) is finite. (It usually contains one or two 
rules in examples.) We define destructors by rewrite rules instead of the equalities 
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M, N ::= 



terms 



x,y,z 

a, b, c, k 

f(M 1 ,...,M n ) 



variable 



name 

constructor application 



P,Q:: 



processes 



M(N).P output 

M(x).P input 

nil 

P | Q parallel composition 

\P replication 

(va)P restriction 

let x = g(Mi, . . . , M n ) in P else Q destructor application 

if M = N then P else Q conditional 

event(M).P event 



Figure 1 : Syntax of the process calculus 



used in [1]. This definition allows destructors to yield several different results non- 
deterministically. (Non-deterministic rewrite rules are used in our modeling of Diffie- 
Hellman key agreements; see Section 9.1). Using constructors and destructors, we 
can represent data structures and cryptographic operations as summarized in Figure 2. 
(We present only probabilistic public-key encryption because, in the computational 
model, a secure public -key encryption algorithm must be probabilistic. We have cho- 
sen to present deterministic signatures; we could easily model probabilistic signatures 
by adding a third argument r containing the random coins, as for encryption. The coins 
should be chosen using a restriction (ya) which creates a fresh name a, representing a 
fresh random number.) 

Constructors and destructors can be public or private. The public ones can be used 
by the adversary, which is the case when not stated otherwise. The private ones can 
be used only by honest participants. They are useful in practice to model tables of 
keys stored in a server, for instance. A public constructor host computes a host name 
from a long-term secret key, and a private destructor getkey returns the key from the 
host name, and simulates a lookup in a table of pairs (host name, key). Using a public 
constructor host allows the adversary to create and register any number of host names 
and keys. However, since getkey is private, the adversary cannot compute a key from 
the host name, which would break all protocols: host names are public while keys of 
honest participants are secret. 

The process calculus provides additional instructions for executing events, which 
will be used for specifying correspondences. The process event(M).P executes the 
event event(M), then executes P. 

The other constructs in the syntax of Figure 1 are standard; most of them come 
from the pi calculus. The input process M (x).P inputs a message on channel M, and 
executes P with x bound to the input message. The output process M(N).P outputs 
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Tuples: 

Constructor: tuple ntuple(xi, . . . , x n ) 

Destructors: projections ith n {ntuple{x\, . . . , x n )) — ► Xi 

Shared-key encryption: 

Constructor: encryption of x under the key y, sencrypt(x, y) 
Destructor: decryption sdecrypt(sencrypt(x,y),y) — > x 
Probabilistic shared-key encryption: 

Constructor: encryption of x under the key y with random coins r, sencrypt p (x, y, r) 
Destructor: decryption sdecrypt p (sencrypt p (x,y,r),y) — > x 
Probabilistic public-key encryption: 

Constructors: encryption of x under the key y with random coins r, pencrypt p (x, y, r) 

public key generation from a secret key y, pk(y) 
Destructor: decryption pdecrypt p (pencrypt p (x, pk(y), r), y) — > x 
Signatures: 

Constructors: signature of x with the secret key y, sign(x, y) 

public key generation from a secret key y, pk(y) 
Destructors: signature verification checksignature(sign(x , y) , pk(y)) — ► x 

message without signature getmessage(sign(x, y)) — ► x 
Non-message-revealing signatures: 

Constructors: signature of x with the secret key y, nmrsign(x, y) 
public key generation from a secret key y, pk(y) 
constant true 

Destructor: verification nmrchecksign(nmrsign(x , y) , pk(y) , x) — ► true 
One-way hash functions: 
Constructor: hash function h{x) 
Table of host names and keys 

Constructor: host name from key host(x) 

Private destructor: key from host name getkey(host(x)) — > x 

Figure 2: Constructors and destructors 

the message N on the channel M and then executes P. We allow communication 
on channels that can be arbitrary terms. (We could adapt our work to the case in 
which channels are only names.) Our calculus is monadic (in that the messages are 
terms rather than tuples of terms), but a polyadic calculus can be simulated since tuples 
are terms. It is also synchronous (in that a process P is executed after the output 
of a message). The nil process does nothing. The process P \ Q is the parallel 
composition of P and Q. The replication IP represents an unbounded number of copies 
of P in parallel. The restriction {va)P creates a new name a and then executes P. The 
conditional if M = N then P else Q executes P if M and N reduce to the same term 
at runtime; otherwise, it executes Q. We define let x — M in P as syntactic sugar for 
P{M/x}. As usual, we may omit an else clause when it consists of 0. 

The name a is bound in the process (va)P. The variable x is bound in P in the 
processes M(x).P and let x = g(M\, . . . , M n ) in P else Q. We write fn(P) and 
fv(P) for the sets of names and variables free in P, respectively. A process is closed if 
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E,TU{0} ^ E,V 
E,Vu{\P} ^ E,VU{P,\P} 
E,VU{P\Q} -> E,PU{P,Q} 
E,VU{ {va)P }-,E\J {a'}, V U { P{a'/a} } 
where a' £ E. 

E,VU{ N(M).Q, N{x).P }^E,VU{Q, P{M/x} } 
E,PU { let x = g(Mi, . . .,M n ) in P elseQ} -> E,PU 

if g(M u ...,M n )^M' 
E,PU { let x = g(Mi, . . .,M n ) in P elseQ} -> E,PU 

if there exists no M' such that g(Mi, . .., M n ) — » M' 
E,V U {if M — M then P else Q} -> E,VU{P} 
E,V U {if M = N then P else Q } -> £, V U { Q } 

if M ^ TV 

£,PU{ event(M).P } ^ E,VU{P} 



(Red Nil) 
(Red Repl) 
(Red Par) 
(Red Res) 

(Red I/O) 
{P{M'/x}} 

(Red Destr 1) 
{ g } (Red Destr 2) 

(Red Cond 1) 
(Red Cond 2) 

(Red Event) 



Figure 3: Operational semantics 



it has no free variables; it may have free names. We identify processes up to renaming 
of bound names and variables. We write {M\/x\, . . . , M n /x n } for the substitution 
that replaces x\, . . . , x n with Mi, . . . , M n , respectively. 



2.2 Operational Semantics 

A semantic configuration is a pair E, V where the environment E is a finite set of 
names and V is a finite multiset of closed processes. The environment E must contain 
at least all free names of processes in V. The configuration {ai, . . . , a n }, {Pi, . . . , 
P n } corresponds intuitively to the process (va\) . . . {va n ){P\ • • ■ | P n )- The seman- 
tics of the calculus is defined by a reduction relation — ► on semantic configurations, 
shown in Figure 3. The rule (Red Res) is the only one that uses renaming. This is 
important so that the parameters of events are not renamed after the execution of the 
event, to be able to compare them with the parameters of events executed later. This 
semantics is superficially different from those of [1, 14], which were defined using a 
structural congruence relation and a reduction relation on processes. The new seman- 
tics (in particular the renaming point mentioned above) provides simplifications in the 
definitions of correspondences (Definitions 2, 3, 6, 7, and 9) and in the proofs that 
correspondences hold. 
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2.3 Example 



As a running example, we consider a simplified version of the Needham-Schroeder 
public-key protocol [60], with the correction by Lowe [53], in which host names are 
replaced by public keys, which makes interaction with a server useless. (The version 
tested in the benchmarks is the full version. Obviously, our tool can verify much more 
complex protocols; we use this simple example for illustrative purposes.) The protocol 
contains the following messages: 



A first sends to B a nonce (fresh name) a encrypted under the public key of B. B 
decrypts this message using his secret key sk b and replies with the nonce a, a fresh 
nonce he chooses b, and its own public key pk B , all encrypted under pk A . When A 
receives this message, she decrypts it. When A sees the nonce a, she is convinced 
that B answered since only B can decrypt the first message and obtain a. Then A 
replies with the nonce b encrypted under pk B . B decrypts this message. When B sees 
the nonce 6, he is convinced that A replied, since only A could decrypt the second 
message and obtain b. The presence of pk A in the first message and pk B in the second 
message makes explicit that these messages are for sessions between A and B, and so 
avoids man-in-the-middle attacks, such as the well-known attack found by Lowe [53]. 
This protocol can be represented in our calculus by the process P, explained below: 

P A {sk Al pk Al pk B ) = \c(x.pk B ).(iya)event(e 1 (pk A ,x.pk B ,a)). 
(vr x )c(pencrypt p ((a,pk A ), x.pk B , n )) . 
c(m).let (— a, x.b, — x_pk B ) — pdecrypt p (m, sUa) in 
event(e 3 (pk A , x_pk B , a, xJ))).{vr ? ,)c{pencrypt p {xJ), x.pk B , r 3 )) 
if x.pk B — pk B then 

event(eA(pk A , xjpk B , a, xJb)) .c{s encrypt (sAa, a)).c(sencrypt(sAb, xJ>)) 
PB(skB,pk B ,pk A ) = \c(m').let (x_a,x_pk A ) = pdecrypt p (m , sk b) in (ub) 

event(e2(x-pk A , pk B , x_a, b)) .(vr2)c(pencrypt ((x_a, b, pk B ), X-pk A ,r2))- 
c(m").let (= b) = pdecrypt p (m" ', sk B ) in 
if xjpk A = pk A then 

event (e B (x_pk A , pk Bl x_a, b)).c(sencrypt(sBa, x_a)) .c(sencrypt(sBb , b)) 
P = {vsk A )(vsk B )let pk A = pk(skA) in let pk B = pk(sk B ) in 
c{pk A )c{pk B }.(PA(skA,pk A ,pk B ) \ P B (sk B , pk B , pk A )) 

The channel c is public: the adversary can send and listen on it. We use a single public 
channel and not two or more channels because the adversary could take a message from 
one channel and relay it on another channel, thus removing any difference between the 
channels. The process P begins with the creation of the secret and public keys of A 
and B. The public keys are output on channel c to model that the adversary has them 



Message 1. 
Message 2. 
Message 3. 



A^B: {a,pk A } pkB 
B^A: {a,b,pk B } P k A 
A^B: {b} pkB 
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in its initial knowledge. Then the protocol itself starts: Pa represents A, Pb represents 
B. Both principals can run an unbounded number of sessions, so Pa and Pb start with 
replications. 

We consider that A and B are both willing to talk to any principal. So, to de- 
termine to whom A will talk, we consider that A first inputs a message containing 
the public key x_pk B of its interlocutor. (This interlocutor is therefore chosen by 
the adversary.) Then A starts a protocol run by choosing a nonce a, and executing 
the event ei(pk A , X-pk B , a). Intuitively, this event records that A sent Message 1 
of the protocol, for a run with the participant of public key x_pk B , using the nonce 
a. Event e\ is placed before the actual output of Message 1; this is necessary for 
the desired correspondences to hold: if event e\ followed the output of Message 1, 
one would not be able to prove that event e\ must have been executed, even though 
Message 1 must have been sent, because Message 1 could be sent without execut- 
ing event e\. The situation is similar for events e 2 and e% below. Then A sends 
the first message of the protocol pencrypt p ((a,pk A ),X-pk B , ^i), where n are fresh 
coins, used to model that public-key encryption is probabilistic. A waits for the 
second message and decrypts it using her secret key sk A - If decryption succeeds, 
A checks that the message has the right form using the pattern-matching construct 
let (= a, Xb, = x_pk B ) — pdecrypt p (m, skA) in . . . This construct is syntactic sugar 
for let y = pdecrypt p (m, skA) in let x\ — lth^(y) in let Xb — 2th^(y) in let x$ = 
3th 3 (y) in if xi — a then if X3 = xjpk B then . . . Then A executes the event 
es(pk A , X-pk B ,a, xJ>), to record that she has received Message 2 and sent Message 3 
of the protocol, in a session with the participant of public key x.pk B , and nonces a and 
xJb. Finally, she sends the last message of the protocol pencrypt p (x_b, x.pk B , r^). 
After sending this message, A executes some actions needed only for specifying prop- 
erties of the protocol. When x_pk B — pk B , that is, when the session is between A and 
B, A executes the event eA{pk A , x_pk B ,a, x_b), to record that A ended a session of 
the protocol, with the participant of public key xjpk B and nonces a and xJ>. A also 
outputs the secret name sAa encrypted under the nonce a and the secret name sAb 
encrypted under the nonce xJb. These outputs are helpful in order to formalize the se- 
crecy of the nonces. Our tool can prove the secrecy of free names, but not the secrecy 
of bound names (such as a) or of variables (such as x.b). In order to overcome this 
limitation, we publish the encryption of a free name sAa under a; then sAa is secret if 
and only if the nonce a chosen by A is secret. Similarly, sAb is secret if and only if the 
nonce x_b received by A is secret. 

The process Pb proceeds similarly: it executes the protocol, with the additional 
event e2(x_pk A ,pk B ,x-a,b) to record that Message 1 has been received and Mes- 
sage 2 has been sent by B, in a session with the participant of public key x_pk A and 
nonces x_a and b. After finishing the protocol itself, when x_pk A — pk A , that is, 
when the session is between A and B, Pb executes the event eB(x~pk A , pk B ,x_a, b), 
to record that B finished the protocol, and outputs sBa encrypted under x_a and sBb 
encrypted under b, to model the secrecy of x_a and b respectively. 

The events will be used in order to formalize authentication. For example, we 
formalize that, if A ends a session of the protocol, then B has started a session of 
the protocol with the same nonces by requiring that, if e^t^i, x 2 , x%, x 4 ) has been 



10 



executed, then e-i (x\ , x 2 , X3 , X4) has been executed. 2 

3 Definition of Correspondences 

In this section, we formally define the correspondences that we verify. We prove cor- 
respondences of the form "if an event e has been executed, then events en, . . . , ei; x 
have been executed, or . . . , or e TO i, . . . , e m i m have been executed". These events may 
include arguments, which allows one to relate the values of variables at the various 
events. Furthermore, we can replace the event e with the fact that the adversary knows 
some term (which allows us to prove secrecy properties), or that a certain message has 
been sent on a certain channel. We can prove that each execution of e corresponds 
to a distinct execution of some events ejk (injective correspondences, defined in Sec- 
tion 3.2), and we can prove that the events ejk have been executed in a certain order 
(general correspondences, defined in Section 3.3). 

We assume that the protocol is executed in the presence of an adversary that can 
listen to all messages, compute, and send all messages it has, following the so-called 
Dolev-Yao model [39]. Thus, an adversary can be represented by any process that has 
a set of public names Init in its initial knowledge and that does not contain events. 
(Although the initial knowledge of the adversary contains only names in Init, one can 
give any terms to the adversary by sending them on a channel in Init.) 

Definition 1 Let Init be a finite set of names. The closed process Q is an Init- 
adversary if and only if fn(Q) C Init and Q does not contain events. 

3.1 Non-injective Correspondences 

Next, we define when a trace satisfies an atom a, generated by the following grammar: 

a ::= atom 

attacker(M) attacker knowledge 

message(M, M') message on a channel 

event(M) event 

Intuitively, a trace satisfies attacker(M ) when the attacker has M, or equivalently, 
when M has been sent on a public channel in Init. It satisfies message(M, M') when 
the message M' has been sent on channel M. Finally, it satisfies event(M) when the 
event event(M) has been executed. 

Definition 2 We say that a trace T = E , V — ►* E', V' satisfies attacker(M) if and 
only if T contains a reduction E,PU {c{M).Q, c{x).P } ->■ E,VU{Q, P{M/x} } 
for some E, V, x, P, Q, and c G Init. 

We say that a trace T = Eq, Vq E' , V satisfies message(M, M') if and only 
if T contains a reduction E, V U { M(M').Q, M(x).P } -> E,PU{Q, P{M'/x} } 
for some E, V, x, P, Q. 

2 For this purpose, the event must not be executed when A thinks she talks to the adversary. Indeed, 
in this case, it is correct that no event has been executed by the interlocutor of A, since the adversary never 
executes events. 
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We say that a trace T = E ,Vo — ►* E',V' satisfies event(M) if and only if T 
contains a reduction E,PU{ event(M).P } -> E, V U { P } for some E, V, P. 

The correspondence a =4> Vjli ( a i ^ Afe=i even t(-Mjfc))> formally defined 
below, means intuitively that, if an instance of a is satisfied, then for some j E 
{1, . . . , to}, the considered instance of a is an instance of aj and a corresponding 
instance of the each of the events event (Mji), . . . , event (M,-^ ) has been executed. 3 

Definition 3 The closed process P satisfies the correspondence 

m / h 

a => \f a, ~» f\ event(M jk ) 
3=1 \ fe=i 

against irai-adversaries if and only if, for any /nit-adversary Q, for any Eq containing 
fn(Po)li Initlifn(a)li{Jj fn(aj)L)[Jj k fn(Mjk), for any substitution a, for any trace 
T = E , {Po, Q} —>* E', V, if T satisfies era, then there exist a' and j G {1, . . . , to} 
such that a'otj = aa and, for all k £ {1, ... , ij}, T satisfies event(cr'M J fc) as well. 

This definition is very general; we detail some interesting particular cases below. 
When to = 0, the disjunction Vj=i • • • is denoted by false. When a = aj for all j, we 

abbreviate the correspondence by a ~* Vj=i Afc=i event(Mjfc). This correspondence 
means that, if an instance of a is satisfied, then for some j < to, a corresponding 
instance of event(Mji), event(Mj;.) has been executed. The variables in a 
are universally quantified (because, in Definition 3, a is universally quantified). The 
variables in Mjk that do not occur in a are existentially quantified (because a' is exis- 
tentially quantified). 

Example 1 In the process of Section 2.3, the correspondence event(e_e(xi, x 2 , Xs, 
Xi)) event(ei(xi, x 2 , x 3 )) A event(e 2 (xi, x 2 , 2:3, x 4 )) A event(e 3 (xi, x 2 , 2:3,2:4)) 
means that, if the event es{xi, X2, X3, X4) has been executed, then the events e\(xi, 
X2,x 3 ), e 2 (xi, x 2 , 2:3, X4), and e 3 (a;i, a; 2 , a; 3 , X4) have been executed, with the same 
value of the arguments x\ , 2; 2 , 2:3 , 2:4 . 
The correspondence 

event(R_received(msg(x, z))) => 
(event(R-received(msg(x , (V, Auth)))) 
event (S -has (k, msg(x, (z', Auth))))A 

event(TTP send(sign((sencrypt(msg(x , {z , Auth)), k), x), sk ttp)))) 
V (event(R-received(msg(x, (z 1 ', No Auth)))) ~-+ 
event(S-has(k, msg(x, (z' , NoAuth))))A 

event(TTP send(sign(sencrypt(msg(x , (z 1 , No Auth)), k), skxTp)))) 

3 The implementation in ProVerif uses a slightly different notation: otj is omitted, but additionally equal- 
ity tests are allowed on the right-hand side of so that one can check that a is actually an instance of aj . 
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means that, if the event R_received(msg(x, z)) has been executed, then two cases can 
happen: either z = (z',Auth) or z = (z' , NoAuth) for some z 1 . In both cases, 
the events TTP_send (certificate) and S-has(k, msg(x, z)) have been executed for 
some k, but with a different value of certificate: certificate — sign((S2TTP,x), 
sUttp) when z = (z',Auth), and certificate = sign(S2TTP , sUttp) when z = 
(z 1 , NoAuth), with S2TTP = sencrypt(msg(x, z), k). A similar correspondence was 
used in our study of a certified email protocol, in collaboration with Martin Abadi [2, 
Section 5, Proposition 4]. We refer to that paper for additional details. 

The following definitions are particular cases of Definition 3. 

Definition 4 The closed process P preserves the secrecy of all instances of M from 
Init if and only if it satisfies the correspondence attacker(M) ~-+ false against Init- 
adversaries. 

When M is a free name, this definition is equivalent to that of [1]. 

Example 2 The process P of Section 2.3 preserves the secrecy of sAa when the cor- 
respondence attacker(s^4a) ~-+ false is satisfied. In this case, intuitively, P preserves 
the secrecy of the nonce a that A chooses. The situation is similar for sAb, sBa, and 
sBb. 

Definition5 Non-injective agreement is a correspondence of the form event(e(xi, 
• ■ -,x n )) ~» event (e'(xi, . . .,£„)). 

Intuitively, the correspondence event(e(xi, . . . , x n )) ~^ event(e'(xi, . . . , x n )) means 
that, if an event e(M\, . . . , M n ) is executed, then the event e'(M\, . . . , M n ) has also 
been executed. This definition can be used to represent Lowe's notion of non-injective 
agreement [54]. 

Example 3 In the example of Section 2.3, the correspondence event(e J 4(xi, x 2 , x$, 
X4)) ^ event(e2(xi, X2, X3, X4)) means that, if A executes an event e^fxi, x 2 , X3, 
X4), then B has executed the event e2(xi, x 2 , £3, X4). So, if A terminates the protocol 
thinking she talks to B, then B is actually involved in the protocol. Moreover, the 
agreement on the parameter of the events, pk A — x_pk A , xjpk B = pk B , a = xji, 
and x_b = b implies that B actually thinks he talks to A, and that A and B agree on the 
values of the nonces. 

The correspondence event(es(a;i, x 2 , £3, 2:4)) event(es(xi, x 2 , x^, X4)) is 
similar, after swapping the roles of A and B. 

3.2 Injective Correspondences 

Definition 6 We say that the event event (M) is executed at step t in a trace 
T = EqjVq E',V' if and only if the r-th reduction of T is of the form 

E,VU{ event(M).P } -> E, V U { P } for some E, V, P. 
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Intuitively, an injective correspondence event(M) -w inj event(M') requires 
that each event event(crM) is enabled by distinct events event(erM'), while a non- 
injective correspondence event(M) ~~> event(M') allows several events event(aM) 
to be enabled by the same event event(crM'). We denote by [inj] an optional inj 
marker: it can be either inj or nothing. When [inj] = inj, an injective correspondence 
is required. When [inj] is nothing, the correspondence does not need to be injective. 

Definition 7 The closed process P satisfies the correspondence 



against /m£-adversaries if and only if, for any /nit-adversary Q, for any Eq containing 



/n(P )U/mtU/n(M)uU,/n(A r J )UU J , k fn(M jk ), for any trace T = E , {P ,Q} 



E', V, there exist functions </>jk from a subset of steps in T to steps in T such that 

• For all r, if the event event (aM) is executed at step r in T for some a, then 
there exist a' and j such that a'Nj — aM and, for all A; s {1, . . . , lj}, 4>jk (t) is 
defined and event (a'Mjk) is executed at step 4>jk{T~) in T. 

• If [injjjfe = inj, then <j)jk is injective. 

The functions <f>jk map execution steps of events event (aM) to the execution steps of 
the events event (a'Mjk) that enable event(aM). When [inj]^ = inj, the injectivity 
of (fijk guarantees that distinct executions of event(erM) correspond to distinct execu- 
tions of event(cr'M 7 fe). When M — Nj for all j, we abbreviate the correspondence 
by event(M) Vj=i Afe=i [inj ] ^ ^ event ( Afj ^ ) , as in the non-injective case. 

Woo and Lam's correspondence assertions [71] are a particular case of this defi- 
nition. Indeed, they consider properties of the form: if 71 or . . . or 7^ have been exe- 
cuted, then jUi or ... or [i m must have been executed, denoted by 71 | . . . | 7fe fi\ \ 
. . . I fj, m . Such a correspondence assertion is formalized in our setting by for all i e 
{1, . . . , k}, the process satisfies the correspondence event^) ~» Vj=i m J event (/ij). 

Remark 1 Correspondences a => Vj=i i^j ~^ Afc=i[ m j]jfe event (-^jfe)) w i tn a = 
attacker(M) and at least one inj marker would always be wrong: the adversary can 
always repeat the output of M on one of his channels any number of times. With 
a = message (M, M') and at least one inj marker, the correspondence may be true 
only when the adversary cannot execute the corresponding output. For simplicity, we 
focus on the case a — event (M) only. 

Definition8 Injective agreement is a correspondence of the form event(e(xi, . . . , 
x n )) ~~> inj event(e'(a;i, . . .,x n )). 

Injective agreement requires that the number of executions of event(e(Mi , . . . , M n )) 
is smaller than the number of executions of event(e'(Mi, . . . , M n )): each execution 
of event(e(Mi, . . . , M n )) corresponds to a distinct execution of event(e'(Mi, . . . , 
M n )). This corresponds to Lowe's agreement specification [54]. 
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Example 4 In the example of Section 2.3, the correspondence event (eA(x\, x 2 , X3, 
X4)) ~-+ inj event(e2(xi, x 2 , X3, X4)) means that each execution of event(eA{xi, x 2 , 
X3, X4)) corresponds to a distinct execution of event(e2(£i, X2, £3, £4)). So each com- 
pleted session of A talking to B corresponds to a distinct session of B talking to A, 
and A and B agree on the values of the nonces. 

The correspondence event (es (x 1, x 2 , £3, £4)) ~» inj event(e3(xi, x 2 , X3, X4)) is 
similar, after swapping the roles of A and B. 

3.3 General Correspondences 

Correspondences also give information on the order in which events are executed. In- 
deed, if we have the correspondence 



then the events event(Mjfc) for k < lj have been executed before event(A^). For- 
mally, in the definition of injective correspondences, we can define <j)jk such that 
0ife(T) < t when <f)jk is defined. (The inequality r' < t means that r' occurs be- 
fore t in the trace.) Indeed, otherwise, by considering the prefix of the trace that stops 
just after r, we would contradict the correspondence. In this section, we exploit this 
point to define more general properties involving the ordering of events. 

Let us first consider some examples. Using the process of Section 2.3, we will 
denote by 



the correspondence that means that each execution of the event es{xi, x 2 , £3, x 4 ) cor- 
responds to distinct executions of the events e\(x\, x 2 , #3), e 2 (xi, x 2 , x 3 , X4), and 
e3(xi, x 2l X3, X4) in this order: each execution of cb(xi,x 2 ,x 3 ,X4) is preceded by a 
distinct execution of e^, {x\ ,x 2 ,Xz,X4), which is itself preceded by a distinct execution 
of e 2 {xi, x 2 , xz, X4), which is itself preceded by a distinct execution of e\{x\, x 2 , X3). 
This correspondence shows that, when B terminates the protocol talking with A, A and 
B have exchanged all messages of the protocol in the expected order. This correspon- 
dence is not equivalent to the conjunction of the correspondences event (e b {x\ , x 2 , x$ , 
X4)) ~» inj eveat{ez{x\,x 2 ,xz,X4)), event(es(a;i, x 2 , X3, X4)) inj event(e2(xi, 
x 2 , X3, X4)), and event(e2(xi, x 2 , X3, x 4 )) inj event(ei(xi, x 2 , X3)), because (1) 
may be true even when, in order to prove that e 2 is executed, we need to know that 
cb has been executed, and not only that e3 has been executed and, similarly, in or- 
der to prove that e x has been executed, we need to know that e B has been executed, 
and not only that e 2 has been executed. Using general correspondences such as (1) is 
therefore strictly more expressive than using injective correspondences. A correspon- 
dence similar to (1) has been used in our study of the Just Fast Keying protocol, one of 
the proposed replacements for IKE in IPSec, in collaboration with Martin Abadi and 
Cedric Fournet [3, Appendix B.5]. 




event(e B (a;i, x 2 , x 3 , X4)) ~~> (inj evcnt(e 3 (a;i, x 2 , x 3 , x 4 )) ~~> 
(inj event(e 2 (2;i,2;2, £3,2:4)) ~^ in J event(ei(a;i, x 2 , X3)))) 



(1) 
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As a more generic example, the correspondence event(M) => Vj=i (event (Mj) 

~* Afe=i ([ in j]jfeevent(M 7fe ) ~» V™=i Afe'='i[ in .i]jfei'* ; 'event(M ifej v fc ,))) means that, 
if an instance of event (M) has been executed, then there exists j such that this in- 
stance of event(M) is an instance of event(Mj) and for all k, a corresponding in- 
stance of event(Mjfe) has been executed before event (Mj), and there exists j' k such 
that for all k' a corresponding instance of event(Mjkj> /.') has been executed before 
event(Mjfe). 

Let us now consider the general definition. We denote by k a sequence of indices k. 
The empty sequence is denoted e. When j = ji ■ ■ ■ j n and k = k\ . . . k n are sequences 
of the same length, we denote by jk the sequence obtained by taking alternatively 
one index in each sequence j and k: jk = j\k\ . . .j n k n . We sometimes use jk as 
an identifier that denotes a sequence obtained in this way; for instance, "for all jk, 
c/yj^ is injective" abbreviates "for all j and k of the same length, <^ is injective". 
We only consider sequences jk that occur in the correspondence. For instance, for 
the correspondence event(M) => Vj=i (event (Mj) ~» Afc=i ([ m j]jfcevent(Mjfc) ~^ 
V™=i Afc'='i [i n j]ifei' fc' event(AfjfcjVfe/ )) ) , we consider the sequences jk = e, jk = jk, 
and jk = jkj'k! where 1 < j < m, 1 < k < lj, 1 < j' < mj k , and 1 < k' < ljkj>- 

Given a family of indices J — {jj:)j: indexed by sequences of indices k, we define 
makcjk(fc, J) by makejk(e, J) = e and makcjk(fcfc, J) = makejk(fc, J)j^k. Less 
formally, if k — kik 2 k 3 . . ., we have makejk(/c, J) = jekijk 1 k 2 jk 1 k 2 k3 ■ ■ ■ Intuitively, 
the correspondence contains disjunctions over indices j and conjunctions over indices 
k, so we would like to express quantifications of the form 3j e Vfci3j/ Cl VA;2 3jfc 1 fc 2 Vfc3 . . . 
on the sequence j^kxj^ kij^k^ ■ ■ ■■ The notation makcjk(/c, J) allows us to replace 
such a quantification with the quantification 3 JVfc on the sequence makcjk(fc, J). 

Definition 9 The closed process P satisjies the correspondence 

m / lj 

event(M) =^ \J event(Mj) f\ [mj]jkqjk 

3=1 \ fe=l 

where 

m jk l jkj 

tjk = event(M^) V A ^Ikjktjkjk 

3 = 1 k=l 

against /m£-adversaries if and only if, for any /nit-adversary Q, for any Eo containing 
/n(P )U/mtU/n(M)uU, M^)U|Jjfc M^%)> for any trace T = E , {P , Q} ^* 
E', V', there exists a function (frj^ for each non-empty jk, such that for all non-empty 
jk, <fijj: maps a subset of steps of T to steps of T and 

• For all t, if the event event (aM) is executed at step r in T for some a, then 
there exist a' and J = (j'r)r such that a'Mj e = oM and, for all non-empty 
k < / , makcjk(I,j)( T ) is defined and event (cr'M makojk(I J} ) is executed at step 

^makcjk(fe,J)( T ) in T - 
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• For all non-empty jk, if [inj]-^ = inj, then <frjj: is injective. 

• For all non-empty jk, for all j and k, if ^^^(t) i s defined, then <?^(t) is 
defined and <t>jkjk( T ) ^ ^7fc( T )- F° r au J an ^ ^> ^ <A7'fc( T ) i s defined, then 

We abbreviate by q-^r = event {M-j^} the correspondence g-^r = event (Mj%) ~-> 

V^i Afc=\[ in j]jfe 3 7c9jfeife when m Jk = 1 and Z 7fci = 0. that is ' the disjunction 

Vj=i Afe=i I m J] Jkjk'tjkjk * s tme - Injective correspondences are then a particular case 
of general correspondences. 

The function <f^ maps the execution steps of instances of event (M) to the execu- 
tion steps of the corresponding instances of event (M-j^). The first item of Definition 9 
guarantees that the required events have been executed. The second item means that, 
when the inj marker is present, the correspondence is injective. Finally, the third item 
guarantees that the events have been executed in the expected order. 

Example 5 Let us consider again the correspondence (1). Using the notations of 
Definition 9, this correspondence is written event(e_e(xi, x 2 , x 3 , X4)) inj qu 
(or event(es(xi, X2, x 3 , X4)) =>■ event(e.B(xi, X2, x 3 , X4)) ~* inj qn), where 
q u = event(e 3 (xi,X2,x 3 ,x 4 )) inj gnu, q nu = event(e 2 (xi, x 2 , x 3 , x 4 )) 
inj qiiini, and qiiini = event(ei(xi, X2, X3)). By Definition 9, this correspondence 
means that there exist functions <j>n, (pun, and 0mm such that: 

• For all r, if the event event(<res(xi, X2, X3, X4)) is executed at step r for some 
a, then 0h(t), </>ihi(t), and 0hihi(t) are defined, and event (cre 3 (xi, x 2 , x 3 , 
X4)) is executed at step 0h(t), event (<re2 (xi, X2, x 3 , X4)) is executed at step 
<Piui(t), an d event(crei(xi, X2, x 3 )) is executed at step 0mm (t). (Here, 
a' = u since all variables of the correspondence occur in event(es(xi, X2, X3, 
X4)). Moreover, j-r = 1 for all k and the non-empty sequences k are 1, 11, 
and 111, since all conjunctions and disjunctions have a single element. The 
sequences makcjk(/c, J) are then 11, 1111, and 111111.) 

• The functions <pu, </>hh, and ^ mlll are injective, so distinct executions of 

e_B(xi, x 2 , x 3 , x 4 ) correspond to distinct executions of ei(xi, x 2 , x 3 ), e 2 (xi, x 2 , 
x 3 ,x 4 ), and e 3 (xi, x 2 , x 3 , x 4 ). 

• When 01111H (t) is defined, 0mm (r) < 0iiii(t) < 0ii(t) < r, so the 
events ei(xi, x 2 , x 3 ), e 2 (xi, x 2 , x 3 , X4), and e 3 (xi, x 2 , x 3 , X4) are executed in 
this order, before es(xi, x 2 , x 3 , x 4 ). 

Similarly, general correspondences allow us to express that, if a protocol participant 
successfully terminates with honest interlocutors, then the expected messages of the 
protocol have been exchanged between the protocol participants, in the expected order. 
This notion is the formal counterpart of the notion of matching conversations initially 
introduced in the computational model by Bellare and Rogaway [11]. This notion of 
authentication is also used in [34]. 

We first focus on non-injective correspondences, and postpone the treatment of 
general correspondences to Section 7.2. 
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4 Automatic Verification: from Secrecy to Correspon- 
dences 



Let us first summarize our analysis for secrecy. The clauses use two predicates: 
attacker and message, where attacker(M) means that the attacker may have the 
message M and message(M, M') means that the message M' may be sent on chan- 
nel M. The clauses relate atoms that use these predicates as follows. A clause 
message(Mi , M[) A ... A message(M„, M' n ) => message(M, M') is generated when 
the process outputs M' on channel M after receiving M[, . .., M' n on channels Mi, 
. .., M n respectively. A clause attacker(Mi) A ... A attacker(M„) =4> attacker(M) 
is generated when the attacker can compute M from Mi, M„. The clause 
message(x, y) A attacker(x) attacker(y) means that the attacker can listen on 
channel x when he has x, and the clause attacker(x) A attacker(y) => message(x, y) 
means that the attacker can send any message y he has on any channel x he has. When 
attacker(M) is derivable from the clauses the attacker may have M, that is, when 
attacker(M) is not derivable from the clauses, we are sure that the attacker cannot 
have M, but the converse is not true, because the Horn clauses can be applied any 
number of times, which is not true in general for all actions of the process. Similarly, 
when mcssage(M, M') is derivable from the clauses, the message M' may be sent on 
channel M. Hence our analysis overapproximates the execution of actions. 

Let us now consider that we want to prove a correspondence, for instance 
event(ei(x)) ~-> event(e 2 (x)). In order to prove this correspondence, we can 
overapproximate the executions of event e\\ if we prove the correspondence with 
this overapproximation, it will also hold in the exact semantics. So we can eas- 
ily extend our analysis for secrecy with an additional predicate event, such that 
event(M) means that event(M) may have been executed. We generate clauses 
message(Mi, M{) A ... A message(M„, M' n ) => event(M) when the process exe- 
cutes event(M) after receiving M{, . . . , M' n on channels Mi, . . . , M„ respectively. 
However, such an overapproximation cannot be done for the event ei'- if we prove 
the correspondence after overapproximating the execution of e 2 , we are not really sure 
that e 2 will be executed, so the correspondence may be wrong in the exact semantics. 
Therefore, we have to use a different method for treating e 2 . 

We use the following idea: we fix the exact set £ of allowed events e 2 (M) and, 
in order to prove event(ei(x)) ~-+ event(e 2 (x)), we check that only events ei(M) 
for M such that e 2 (M) e £ can be executed. If we prove this property for any 
value of £, we have proved the desired correspondence. So we introduce a predi- 
cate m-event, such that m-event(e 2 (M)) is true if and only if e 2 (M) s £■ We gen- 
erate clauses message(Mi, M[) A ... A message(M„, M' n ) A m-event(e 2 (M )) => 
message(M, M') when the process outputs M' on channel M after executing the event 
e 2 (Mo) and receiving M{, . . . , M' n on channels Mi, . . . , M n respectively. In other 
words, the output of M' on channel M can be executed only when m-event(e 2 (M )) 
is true, that is, e 2 (M ) £ £ . (When the output of M' on channel M is under sev- 
eral events, the clause contains several m-event atoms in its hypothesis. We also have 
similar clauses with event(ei(M)) instead of message(M, M') when the event e\ is 
executed after executing e 2 and receiving M{, . . . , M' n on channels Mi, . . . , M„ re- 



18 



spectively.) 

For instance, if the events e2(Mi) and e 2 (M 2 ) are executed in a certain trace 
of the protocol, we define £ — {e 2 (Mi), e 2 (M 2 )}, so that m-event(e 2 (Mi)) and 
m-event(e 2 (M 2 )) are true and all other m-event facts are false. Then we show that 
the only events ei that may be executed are ei(Mi) and ei(M 2 ). We prove a similar 
result for all values of £ , which proves the desired correspondence. 

In order to determine whether an atom is derivable from the clauses, we use a 
resolution-based algorithm. The resolution is performed for an unknown value of £. 
So, basically, we keep m-event atoms without trying to evaluate them (which we can- 
not do since £ is unknown). In the vocabulary of resolution, we never select m-event 
atoms. (We detail this point in Section 6.1.) Thus the obtained result holds for any value 
of £ , which allows us to prove correspondences. In order to prove the correspondence 
event(ei(x)) ~~> event(e 2 (x)), we show that event(ei(M)) is derivable only when 
m-event(e 2 (M)) holds. We transform the initial set of clauses into a set of clauses 
that derives the same atoms. If, in the obtained set of clauses, all clauses that conclude 
event(ei(M)) contain m-event(e 2 (M)) in their hypotheses, then event(ei(M)) is 
derivable only when m-event(e 2 (M)) holds, so the desired correspondence holds. 

We still have to solve one problem. For simplicity, we have considered that terms, 
which represent messages, are directly used in clauses. However, in order to repre- 
sent nonces in our analysis for secrecy, we use a special encoding of names: a name a 
created by a restriction (va) is represented by a function a[M x , . . . , M n ] of the mes- 
sages Mi , . . . , M„ received above the restriction, so that names created after receiving 
different messages are distinguished in the analysis (which is important for the preci- 
sion of the analysis). However, this encoding still merges names created by the same 
restriction after receiving the same messages. For example, in the process \c(x)(va), 
the names created by (va) are represented by a[x), so several names created for the 
same value of x are merged. This merging is not acceptable for the verification of cor- 
respondences, because when we prove event(ei(x)) ~~> event (e 2 (a;)), we must make 
sure that x contains exactly the same names in e\(x) and in e 2 (x). In order to solve 
this problem, we label each replication with a session identifier i, which is an integer 
that takes a different value for each copy of the process generated by the replication. 
We add session identifiers as arguments to our encoding of names, which becomes 
a [Mi, . . . , M n , ii, . . . , i n i] where i\, . . . , i n i are the session identifiers of the replica- 
tions above the restriction (va). For example, in the process \c(x)(va), the names 
created by (va) are represented by a[x, i}. Each execution of the restriction is then 
associated with a distinct value of the session identifiers i\, . . . , i n >, so each name has 
a distinct encoding. We detail and formalize this encoding in Section 5.1. 

5 From Processes to Horn Clauses 

In this section, we first explain the instrumentation of processes with session identifiers. 
Next, we explain the translation of processes into Horn clauses. 
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5.1 Instrumented Processes 



We consider a closed process Pq representing the protocol we wish to check. We 
assume that the bound names of P have been renamed so that they are pairwise distinct 
and distinct from names in Init U fn(Po) and in the correspondence to prove. We 
denote by Q a particular adversary; below, we prove the correspondence properties 
for any Q. Furthermore, we assume that, in the initial configuration E , {Po, Q}, the 
names of E not in Init Ufn(Po) or in the correspondence to prove have been renamed 
to fresh names, and the bound names of Q have been renamed so that they are pairwise 
distinct and fresh. (These renamings do not change the satisfied correspondences, since 
{va)P and the renamed process {ya')P{a! /a} reduce to the same configuration by 
(Red Res).) After encoding names, the terms are represented by patterns p (or "terms", 
but we prefer the word "patterns" in order to avoid confusion), which are generated by 
the following grammar: 

p ::= patterns 
x,y,z,i variable 
a\pi,...,p n ,ii,...,i n >] name 
/ (pi, ■ ■ ■ , p n ) constructor application 

For each name a in P we have a corresponding pattern construct a\pi, . . . ,p n ,h, 
. . . , i n /]. We treat a as a function symbol, and write a[pi, . . . ,p n , i\, ■ ■ ■ , i n '\ rather 
than a(pi, . . . ,p n , i\,...,i n i) only to distinguish names from constructors. The sym- 
bol a in a[. . .] is called a name function symbol. If a is a free name, then its encoding 
is simply a[\. If a is bound by a restriction (va)P in P , then its encoding a[. . .] takes 
as argument session identifiers i\, . . . ,i n >, which can be constant session identifiers A 
or variables i (taken in a set V s disjoint from the set V a of ordinary variables). There 
is one session identifier for each replication above the restriction (va). The pattern 
a[. . .] may also take as argument patterns p\, . . . ,p n containing the messages received 
by inputs above the restriction (va)P in the abstract syntax tree of P and the result 
of destructor applications above the restriction (va)P. (The precise definition is given 
below.) 

In order to define formally the patterns associated with a name, we use a notion of 
instrumented processes. The syntax of instrumented processes is defined as follows: 

• The replication IP is labeled with a variable i in V^: \ l P. The process \ l P 
represents copies of P for a countable number of values of i. The variable i 
is a session identifier. It indicates which copy of P, that is, which session, is 
executed. 

• The restriction (va)P is labeled with a restriction label I: (va : £)P, where I is 
either a [Mi, . . . , M n , i\, . . . , i„<] for restrictions in honest processes or b n [a[ii, 
. .. ,i n i]] for restrictions in the adversary. The symbol b is a special name func- 
tion symbol, distinct from all other such symbols. Using a specific instrumenta- 
tion for the adversary is helpful so that all names generated by the adversary are 
encoded by instances of 60 [a;]. They are therefore easy to generate. This labeling 
of restrictions is similar to a Church-style typing: I can be considered as the type 
of a. (This type is polymorphic since it can contain variables.) 
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The instrumented processes are then generated by the following grammar: 



P,Q:: 




instrumented processes 
replication 
restriction 



(va:i)P 



... (as in the standard calculus) 

For instrumented processes, a semantic configuration S, E, V consists of a set S of ses- 
sion identifiers that have not yet been used by V, an environment E that is a mapping 
from names to closed patterns of the form a[. . .], and a finite multiset of instrumented 
processes V. The first semantic configuration uses any countable set of session identi- 
fiers So. The domain of E must always contain all free names of processes in V, and 
the initial environment maps all names a to the pattern a[]. The semantic rules (Red 
Repl) and (Red Res) become: 

S,E,VU{\ l P} ^ S\ {A}, E,VU{ P{X/i}, VP } where XeS (Red Repl) 

S,E,VU{(va:£)P} (Red Res) 

-» S, E[a' ^ E(£ ) },V U {P{a'/a}} if a' £ dom(E) 

where the mapping E is extended to all terms as a substitution by E(f(Mi, 
. . .,M n )) = f(E(Mi), . . . , E(M n )) and to restriction labels by E{a[M\ , . . .,M n ,i u 
. . .,i n ,\) = a[E(M 1 ), . . .,E(M n ),i u . . .,i n >] and E(b [a[n, . . . ,i n ']]) = b Q [a[h, 
. . . , i n ']], so that it maps terms and restriction labels to patterns. The rule (Red Repl) 
takes an unused constant session identifier A in S, and creates a copy of P with session 
identifier A. The rule (Red Res) creates a fresh name a', substitutes it for a in P, and 
adds to the environment E the mapping of a' to its encoding E(£). Other semantic 
rules E,V -> E, V' simply become S,E,V -> S, E, V' . 

The instrumented process Pg = instr(P ) associated with the process P is built 
from P as follows: 

• We label each replication IP of Po with a distinct, fresh session identifier i, so 
that it becomes \ l P. 

• We label each restriction (va) of Po with a[t, s], so that it becomes (ya : a[t, s]), 
where s is the sequence of session identifiers that label replications above (ya) in 
the abstract syntax tree of Pq, in the order from top to bottom; t is the sequence 
of variables x that store received messages in inputs M(x) above (va) in Po and 
results of non-deterministic destructor applications let x = g(. . ) in P else Q 
above (va) in Po. (A destructor is said to be non-deterministic when it may 
return several different results for the same arguments. Adding the result 
of destructor applications to t is useful to improve precision, only for non- 
deterministic destructors. For deterministic destructors, the result of the destruc- 
tor can be uniquely determined from the other elements of t, so the addition is 
useless. If we add the result of non-deterministic destructors to t, we can show 
that the relative completeness result of [1] still holds in the presence of non- 
deterministic destructors. This result shows that, for secrecy, the Horn clause 
approach is at least as precise as a large class of type systems.) 
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Hence names are represented by functions a[t, s] of the inputs and results of 
destructor applications in t and the session identifiers in s. In each trace of the 
process, at most one name corresponds to a given a[t, s], since different copies 
of the restriction have different values of session identifiers in s. Therefore, 
different names are not merged by the verifier. 

For the adversary, we use a slightly different instrumentation. We build the instru- 
mented process Q' = instrAdv(Q) as follows: 

• We label each replication IP of Q with a distinct, fresh session identifier i, so 
that it becomes l l P. 

• We label each restriction (va) of Q with b [a[s]], so that it becomes (i^a:6 [a[s]]), 
where s is the sequence of session identifiers that label replications above (va) 
in Q' . (Including the session identifiers as arguments of nonces is necessary 
for soundness, as discussed in Section 4. Including the messages previously re- 
ceived as arguments of nonces is important for precision in the case of honest 
processes, in order to relate the nonces to these messages. It is however useless 
for the adversary: since we consider any /mi-adversary Q, we have no defi- 
nite information on the relation between nonces generated by the adversary and 
messages previously received by the adversary.) 

Remark 2 By moving restrictions downwards in the syntax tree of the process (until 
the point at which the fresh name is used), one can add more arguments to the pattern 
that represents the fresh name, when the restriction is moved under an input, replica- 
tion, or destructor application. Therefore, this transformation can make our analysis 
more precise. The tool can perform this transformation automatically. 

Example 6 The instrumentation of the process of Section 2.3 yields: 

P A (sk A ,pk A ,pk B ) = l tA c(x_pk B ).(va : a[x.pk B , i A \) ■ ■ ■ (vr\ : ri[x_pk B , i A \) . . . 

c(m) . . . (vr 3 : r 3 [x.pk B , m, i A ]]) 
P' B (sk B ,pk B ,pk A ) = \ %B c(m')...(vb:b[m\i B \)...(vr 2 : r 2 [m',i B ]) . . . 
P' = (vsk A : sk A [])(vsk B : sk B [}) . . . (P A (sk A ,pk A ,pk B ) | P' B (sk B ,pk B ,pk A )) 

The names created by the restriction (va) will be represented by the pattern a[x_pk B , 
i A ], so we have a different pattern for each copy of the process, indexed by i A , and 
the pattern also records the public key x_pk B of the interlocutor of A. Similarly, the 
names created by the restriction (vb) will be represented by the pattern b\m! , i B \. 

The semantics of instrumented processes allows exactly the same communications 
and events as the one of standard processes. More precisely, let V be a multiset of in- 
strumented processes. We define unlnstr('P) as the multiset of processes of V without 
the instrumentation. Thus we have: 

Proposition 1 IfE , {P , Q} E\,V\, then there exist E[ andV[ such that for any 
S, countable set of session identifiers, there exists S' such that S, {a i— > a[] \ a G Eq}, 
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{instr(P ),instrAdv(Q)} -►* S',E[,V[, dom(E[) = E lt unInstr(P() = Vx, and 
both traces execute the same events at the same steps and satisfy the same atoms. 

Conversely, ifS,{a ^a[]|a£ E a }, {instr(P ), instrAdv(Q)} ->* S',E[,V' 1 , 
then E , {P , Q} — >* dom(E[), unInstr(P( ), and both traces execute the same events 
at the same steps and satisfy the same atoms. 

Proof This is an easy proof by induction on the length of the traces. The reduction 
rules applied in both traces are rules with the same name. □ 

We can define correspondences for instrumented processes. These correspondences 
and the clauses use facts defined by the following grammar: 

F ::= facts 

attacker(p) attacker knowledge 

messagc(p, p') message on a channel 

m-event(p) must-event 
event (p) may-event 

The fact attacker(p) means that the attacker may have p, and the fact message(p,p') 
means that the message p' may appear on channel p. The fact m-event(p) means 
that event(M) must have been executed with M corresponding to p, and event(p) 
that event(M) may have been executed with M corresponding to p. We use the word 
"fact" to distinguish them from atoms attacker(M), message(M, M'), and event (M). 
The correspondences do not use the fact m-event(p), but the clauses use it. 

The mapping £ of a semantic configuration is extended to atoms by 
P(attacker(M)) = attacker (E(M)), P(message(M, M')) = message(P(M), 
E(M')), and E (event (M)) = event(£'(M)), so that it maps atoms to facts. We de- 
fine that an instrumented trace T satisfies an atom a by naturally adapting Definition 2. 
When F is not m-event(p), we say that an instrumented trace T = So, Eq,Vq — »* 
S',E', V' satisfies a fact F when there exists an atom a such that T satisfies a and 
E'(a) = F. We also define that event(Af) is executed at step r in the instrumented 
trace T by naturally adapting Definition 6. We say that event(p) is executed at step r 
in the instrumented trace T = So, E , Vo S' , E', V' when there exists a term M 
such that event (M) is executed at step t in T and E'(M) = p. 



Definition 10 Let Po be a closed process and Pq = instr(Po)- The instrumented 
process Pq satisfies the correspondence 

rn I lj 
3=1 \ k=l 

against /mt-adversaries if and only if, for any /nit-adversary Q, for any trace T = 
So,E ,{Po,Q'} S',E',V', with Q' = instrAdv(Q), E {a) = a[] for all a e 
dom(Eo), and /n(Pg) U Init C dom(E ), if T satisfies oF for some substitution 
a, then there exist a' and j G {1, . . . , m) such that cr'Fj — aF and for all k G 
{1, . . . , lj}, T satisfies event(cr'pjfc)- 
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A correspondence for instrumented processes implies a correspondence for stan- 
dard processes, as shown by the following lemma, proved in Appendix A. 



Lemma 1 Let Pq be a closed process and Pq = instr(Po). Let Mjk (j € {1, . . . , to}, 
k G {1, . . . , lj}) be terms; let a and otj (j e {1, . . . , m}) be atoms. Let pjh, F, Fj be 
the patterns and facts obtained by replacing names a with patterns a[] in the terms and 
atoms Mjk, a, otj respectively. If Pq satisfies the correspondence 



against Init-adversaries. 

For instrumented processes, we can specify properties referring to bound names of 
the process, which are represented by patterns. Such a specification is impossible in 
standard processes, because bound names can be renamed, so they cannot be referenced 
in terms in correspondences. 

5.2 Generation of Horn Clauses 

Given a closed process Po and a set of names Init, the protocol verifier first instruments 
P to obtain Pq = instr(P ). then it builds a set of Horn clauses, representing the 
protocol in parallel with any /mi-adversary . The clauses are of the form i*\ A. . .AF n => 
F, where Fi, . . . , F n , F are facts. They comprise clauses for the attacker and clauses 
for the protocol, defined below. These clauses form the set TZp^j nit . The predicate 
m-event is defined by a set of closed facts f me , such that m-event(p) is true if and 
only if m-event (p) e Jn C . The facts in .Fme do not belong to IZp^jnit. The set JT mo is 
the set of facts that corresponds to the set of allowed events £ , mentioned in Section 4. 

5.2.1 Clauses for the Attacker 

The clauses describing the attacker are almost the same as for the verification of secrecy 
in [1]. The only difference is that, here, the attacker is given an infinite set of fresh 
names bo[x], instead of only one fresh name 6 []- Indeed, we cannot merge all fresh 
names created by the attacker, since we have to make sure that different terms are 
represented by different patterns for the verification of correspondences to be correctly 
implemented, as seen in Section 4. The abilities of the attacker are then represented by 
the following clauses: 




against Init-adversaries then Pq satisfies the correspondence 



a 




k=i 



h 

f\ event(M jk ) 



For each a e Init, attacker(o[]) 



(Init) 
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attacker(&o [x]) 

For each public constructor / of arity n, 



(Rn) 



(Rf) 



attacker(xi) A ... A attacker(x„) =4> attacker(/(xi, . . . , x n )) 
For each public destructor g, 



for each rewrite rule g(M\, . . . , M n ) — > M in def (g), 



(Rg) 



attacker(M!) A ... A attacker(M„) attacker(M) 
message(x, y) A attacker(x) attacker(j/) 
attacker(x) A attackcr(y) =^> message(ai, y) 



(Rl) 
(Rs) 



The clause (Init) represents the initial knowledge of the attacker. The clause (Rn) means 
that the attacker can generate an unbounded number of new names. The clauses (Rf) 
and (Rg) mean that the attacker can apply all operations to all terms it has, (Rf) for 
constructors, (Rg) for destructors. For (Rg), notice that the rewrite rules in def (g) do 
not contain names and that terms without names are also patterns, so the clauses have 
the required format. Clause (Rl) means that the attacker can listen on all channels it 
has, and (Rs) that it can send all messages it has on all channels it has. 

If c e Init, we can replace all occurrences of message(c[], M) with attacker(M) 
in the clauses. Indeed, these facts are equivalent by the clauses (Rl) and (Rs). 

5.2.2 Clauses for the Protocol 

When a function p associates a pattern with each name and variable, and / is a construc- 
tor, we extend p as a substitution by p(f(Mi, . . . , M n )) = f(p(Mi), . . . , p(M n )). 

The translation \P\pH of a process P is a set of clauses, where p is a function that 
associates a pattern with each name and variable, and H is a sequence of facts of the 
form message(p,p') or m-event(p). The environment p maps each variable and name 
to its associated pattern representation. The sequence H keeps track of events that have 
been executed and of messages received by the process, since these may trigger other 
messages. The empty sequence is denoted by 0; the concatenation of a fact F to the 
sequence H is denoted by H A F. The pattern pi is always a session identifier variable 



[0]pH = 

IP | Q\ P H = \P\pH U \Q\pH 

i\ i PjpH=[Pl(p[i^i])H 

\{va : a[M u . . . , M n , i u . . . , i n ,])P]pH = 

[P](p[a ~ aipiM,), . . . ,p(M„),p(H), . . . ,p(i n ,)} })H 
{M(x).P}pH = [Pj{p[x i > x])(H Amessage(p(M),x)) 
(M(N).PjpH = \P]pH U{H^> mcssage(p(M),p(iV))} 
[let x = g(M u ...,M n )inP else QjpH = \J{[P\((<rp)[x h- a'p']){aH) 

g(p'i, ■ ■ ■ ,p' n ) — ► p is in def (g) and (c, a') is a most general pair of 
substitutions such that ap(Mx) = cr'pi, ■ • ■ , c r p(M„) = er'p' } U {QjpH 



of V s . 
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[if M = N then P else Q\pH = [P](ap)(aH) U \Q\pH 

where a is the most general unifier of p(M) and p(N) 
[event(M).P]p# = \P\p(H A m-event(p(M))) U {H =► event(p(M))} 

The translation of a process is a set of Horn clauses that express that it may send 
certain messages or execute certain events. The clauses are similar to those of [1], 
except in the cases of replication, restriction, and the addition of events. 

• The nil process does nothing, so its translation is empty. 

• The clauses for the parallel composition of processes P and Q are the union of 
clauses for P and Q. 

• The replication only inserts the new session identifier i in the environment p. It 
is otherwise ignored, because all Horn clauses are applicable arbitrarily many 
times. 

• For the restriction, we replace the restricted name a in question with the pattern 
a[p(Mi), . . . , p(M n ), p(ii), ■ ■ ■ , p{i n >)\. By definition of the instrumentation, 
this pattern contains the previous inputs, results of non-deterministic destructor 
applications, and session identifiers. 

• The sequence H is extended in the translation of an input, with the input in 
question. 

• The translation of an output adds a clause, meaning that the output is triggered 
when all conditions in H are true. 

• The translation of a destructor application is the union of the clauses for the cases 
where the destructor succeeds (with an appropriate substitution) and where the 
destructor fails. For simplicity, we assume that the else branch of destructors 
may always be executed; this is sufficient in most cases, since the else branch is 
often empty or just sends an error message. We outline a more precise treatment 
in Section 9.2. 

• The conditional if M = N then P else Q is in fact equivalent to 
let x = equal(M, N) in P else Q, where the destructor equal is defined by 
equal(x, x) — ► x, so the translation of the conditional is a particular case of the 
destructor application. We give it explicitly since it is particularly simple. 

• The translation of an event adds the hypothesis m-event(p(M)) to H, meaning 
that P can be executed only if the event has been executed first. Furthermore, it 
adds a clause, meaning that the event is triggered when all conditions in H are 
true. 



Remark 3 Depending on the form of the correspondences we want to prove, we can 
sometimes simplify the clauses generated for events. Suppose that all arguments of 
events in the process and in correspondences are of the form /(Mi, . . . , M n ) for some 
function symbol /. 
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If, for a certain function symbol /, events event (/(. . .)) occur only before in 
the desired correspondences, then it is easy to see in the following theorems that hy- 
potheses of the form m-event(/(. . .)) in clauses can be removed without changing the 
result, so the clauses generated by the event event(M) when M is of the form /(. . .) 
can be simplified into: 

{event(M).PjpH = \P] P H U {H =^> event{p(M))} 

(Intuitively, since the events event (/(. . .)) occur only before ~» in the desired corre- 
spondences, we never prove that an event event (/(. . .)) has been executed, so the 
facts m-event(/(. . .)) are useless.) 

Similarly, if event (/(. . .)) occurs only after in the desired correspondences, 
then clauses that conclude a fact of the form event(/(. . .)) can be removed without 
changing the result, so the clauses generated by the event event(M) when M is of the 
form /(. . .) can be simplified into: 

[event(M).P]pP = \P\p(H A m-cvcnt(p(M ))) 

(Intuitively, since the events event(/(. . .)) occur only after ~» in the desired correspon- 
dences, we never prove properties of the form "if event(/(. . .)) has been executed, 
then . . . ", so clauses that conclude event(/(. . .)) are useless.) 

This translation of the protocol into Horn clauses introduces approximations. The 
actions are considered as implicitly replicated, since the clauses can be applied any 
number of times. This approximation implies that the tool fails to prove protocols 
that first need to keep some value secret and later reveal it. For instance, consider the 
process (vd)(d(s) .c(d) \ d{x)). This process preserves the secrecy of s, because s is 
output on the private channel d and received by the input on d, before the adversary 
gets to know d by the output of d on the public channel c. However, the Horn clause 
method cannot prove this property, because it treats this process like a variant with 
additional replications {vd){\d{s).c{d) \ \d(x)), which does not preserve the secrecy 
s. Similarly, the process (vd)(d(M) | d(x).c?(x).event(ei)) never executes the event 
ei, but the Horn clause method cannot prove this property because it treats this process 
like (i'd)(\d(M) | d(x).rf(x).event(ei)), which may execute e\. The only exception 
to this implicit replication of processes is the creation of new names: since session 
identifiers appear in patterns, the created name is precisely related to the session that 
creates it, so name creation cannot be unduly repeated inside the same session. Due to 
these approximations, our tool is not complete (it may produce false attacks) but, as we 
show below, it is sound (the security properties that it proves are always true). 

5.2.3 Summary and Correctness 

Let p — {a i— > a[] | a E /n(Pg)}. We define the clauses corresponding to the 
instrumented process Pq as: 

Kp'jmt = U {attackcr(a[]) | a G Init} U {(Rn), (Rf), (Rg), (Rl), (Rs)} 
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Example 7 The clauses for the process P of Section 2.3 are the clauses for the adver- 



sary, plus: 

attacker(pfc(sfc,4[])) (2) 

attacker (pk(skB[])) (3) 
Hi => attacker (pencrypt p ((a[x_pk B ,iA],pk(skA[])),x_pk B ,ri[x-pk Bl i a])) (4) 

H 2 => attackeT(pencrypt p (xJ>, x_pk B ,r 3 [x_pk B ,p 2 , ia])) (5) 

H 3 => event(eA{pk(sk A []),pk(sk B []),a[pk(sk B []),i A ],X-b)) (6) 

H 3 s.tt&c)sBY{sencrypt{sAa[\, a[pk(sk B []), ia])) (7) 

H 3 =>• a,tta,cker(sencrypt(sAb[], xJ>)) (8) 
where p 2 = pencrypt p ((a{x-pk B7 iA\,x_b, x.pk B ), pk(skA[]), x_r 2 ) 



Hi = attacker(x_pfc B ) A m-event(ei(pk(skA[]), x_pk Bl a[x_pk Bl ia])) 

H 2 = Hi A attacker(p 2 ) A m-event(e3(pfc(sfc J 4[]), x.pk B , a[x-pk B , ia], xJj)) 

H 3 = H 2 {pk{sk B [])/x_pk B } 

attacker(pi) A Ta-event(e 2 (x-pk A ,pk(sk B []), x_a, b\p\, i B ])) 

=> a,ttacker(pencrypt p ((x a ,b\pi,i B },pk(sk B [})),x_pk A ,r 2 [pi,i B })) 



where pi = pencrypt p ((x_a, x_pk A ), pk(sk B []), x.ri) 

H 4 => event(e B (pk(sk A []),pk(sk B []),x.a, b\p'i,i B ])) (10) 

H 4 => a.tta,cker(sencrypt(sBa{] 7 x_a)) (11) 

H4 => a.tta,cker(sencrypt(sBb{], b{p'i, ib])) (12) 



where p' x = pencrypt p ((x_a, pk(skA[])), pk(sk B []), xjti) 

H4 = attacker^) A m-event(e 2 (pk(skA[}), pk(sk B []), X-a, b[p[, ib])) A 

attacker (pencrypt p (b[p[, iB], pk(skB[]) 1 xjr 3 )) 

Clauses (2) and (3) correspond to the outputs in P; they mean that the adversary has 
the public keys of the participants. Clauses (4) and (5) correspond to the first two 
outputs in Pa- For example, (5) means that, if the attacker has xjpk B and the sec- 
ond message of the protocol p 2 and the events ei(pk(skA[]) 7 x_pk B , a[x-pk B , ia]) 
and e 3 (pk(sk a[}) : x_pk B , a[x_pk B , i A ], xJb) are allowed, then the attacker can get 
pencrypt p (x-b 7 x_pk B ,r 3 [x.pk B} p 2 ,iA\), because Pa sends this message after re- 
ceiving x_pk B andj»2 and executing the events ei and e 3 . When furthermore x_pk B = 
pk(sk b [ ]), Pa executes event eA and outputs the encryption of sAa[] under a[x_pk B , 
ia] and the encryption of sBb[] under xJd. These event and outputs are taken into 
account by Clauses (6), (7), and (8) respectively. Similarly, Clauses (9), (11), and (12) 
correspond to the outputs in Pb and (10) to the event e B . These clauses have been 
simplified using Remark 3, taking into account that ei, e 2 , and e 3 appear only on the 
right-hand side of and and e B only on the left-hand side of in the queries of 
Examples 1, 2, and 3. 

Theorem 1 (Correctness of the clauses) Let P be a closed process and Q be an 
Init-adversary. Let Pq = instr(P ) and Q' = instrAdv(Q). Consider a trace T = 
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S ,E ,{P^,Q'} ->* S',E',V, with fn( p o) u Imt £ dom(E ) and E (a) = a[] 
for all a £ dom(Eo). Assume that, ifT satisfies event (p), then m-event(p) 6 f me . 
Finally, assume that T satisfies F. Then F is derivable from TZp^j nit U f me . 

This result shows that, if the only executed events are those allowed in f mc and a 
fact F is satisfied, then F is derivable from the clauses. It is proved in Appendix B. 
Using a technique similar to that of [1], its proof relies on a type system to express 
the soundness of the clauses on Pq, and on the subject reduction of this type system to 
show that soundness of the clauses is preserved during all executions of the process. 

6 Solving Algorithm 

We first describe a basic solving algorithm without optimizations. Next, we list the 
optimizations that we use in our implementation, and we prove the correctness of the 
algorithm. The termination of the algorithm is discussed in Section 8. 

6.1 The Basic Algorithm 

To apply the previous results, we have to determine whether a fact is derivable from 
T^p^init U f me , This may be undecidable, but in practice there exist algorithms that 
terminate on numerous examples of protocols. In particular, we can use variants of res- 
olution algorithms, such as the algorithms described in [13, 14,20,69]. The algorithm 
that we describe here is the one of [14], extended with a second phase to determine 
derivability of any query. It also corresponds to the extension to m-cvcnt facts of the 
algorithm of [20] . 

We first define resolution: when the conclusion of a clause R unifies with an hy- 
pothesis F of a clause R', we can infer a new clause R o Fo R', that corresponds to 
applying R and R' one after the other. Formally, this is defined as follows: 

Definition 11 Let R = H =>■ C and R' = H' => C be two clauses. Assume that 
there exists Fq G H' such that C and Fq are unifiable, and a is the most general unifier 
of C and F . In this case, we define R o Fo R 1 = a(H U (H' \ {F })) => aC 

An important idea to obtain an efficient solving algorithm is to specify conditions that 
limit the application of resolution, while keeping completeness. The conditions that we 
use correspond to resolution with free selection [9, 35,55]: a selection function chooses 
selected facts in each clause, and resolution is performed only on selected facts, that is, 
the clause R o Fo R' is generated only when the conclusion is selected in R and F is 
selected in R'. 

Definition 12 We denote by sel a selection function, that is, a function from clauses to 
sets of facts, such that se\(H => C) C H. If F € sel(_R), we say that F is selected in 
R. If sel(-R) = 0, we say that no hypothesis is selected in R, or that the conclusion of 
the clause is selected. 
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The choice of the selection function can change dramatically the speed of the algorithm. 
Since the algorithm combines clauses by resolution only when the facts unified in the 
resolution are selected, we will choose the selection function to reduce the number 
of possible unifications between selected facts. Having several selected facts slows 
down the algorithm, because it has more choices of resolutions to perform, therefore 
we will select at most one fact in each clause. In the case of protocols, facts of the form 
attacker(a;), with x variable, can be unified will all facts of the form attacker(p). 
Therefore we should avoid selecting them. The m-cvcnt facts must never be selected 
since they are not defined by known clauses. 

Definition 13 We say that a fact F is unselectable when F = attackcr(x) for some 
variable x or F = m-event(p) for some pattern p. Otherwise, we say that F is se- 
lectable. 

We require that the selection function never selects unselectable hypotheses and 
that se\(H => attacker(a;)) ^ when H contains a selectable fact. 

A basic selection function for security protocols is then 



In the implementation, the hypotheses are represented by a list, and the selected fact is 
the first selectable element of the list of hypotheses. 

The solving algorithm works in two phases, summarized in Figure 4. The first 
phase, saturate, transforms the set of clauses into an equivalent but simpler one. The 
second phase, derivable, uses a depth-first search to determine whether a fact can be 
inferred or not from the clauses. 

The first phase contains 3 steps. 

• The first step inserts in TZ the initial clauses representing the protocol and the 
attacker (clauses that are in TZo), after simplification by simplify (defined below 
in Section 6.2) and elimination of subsumed clauses by elim. We say that Hi 
C\ subsumes H2 => C2, and we write (Hi => Ci) □ (H2 => C2), when there 
exists a substitution a such that aC\ — C2 and a Hi C H2. (Hi and H2 are 
multisets, and we use here multiset inclusion.) If R' subsumes R, and R and R' 
are in TZ, then R is removed by elim(TZ). 

• The second step is a fixpoint iteration that adds clauses created by resolution. 
The composition of clauses R and R' is added only if no hypothesis is selected 
in R, and the hypothesis Fq of R' that we unify is selected. When a clause 
is created by resolution, it is added to the set of clauses TZ after simplification. 
Subsumed clauses are eliminated from TZ. 

• At last, the third step returns the set of clauses of TZ with no selected hypothesis. 

Basically, saturate preserves derivability: F is derivable from TZo U T me if and only if 
it is derivable from saturate(7^o) U f me , A formal statement of this result is given in 
Lemma 2 below. 




if VF e H , F is unselectable 

{F } where F G H and F is selectable, otherwise 



30 



First phase: saturation 

saturate(7?-o) = 

1. TZ <- 0. 

For each R e Ho, TZ <— dim (simplify (R) U 7?.). 

2. Repeat until a fixpoint is reached 

for each i? G TZ such that sel(i?) = 0, 

for each R' G TZ, for each F G sel (i?') such that i? o Fo R 1 is defined, 
7?. <— elim (simplify (Ro Fo R') U 7?.). 

3. Return {i? e ^ | sel(i?) = 0}. 

Second phase: backwards depth-first search 

if 3i?' elZ,R'^R 

{R} otherwise, if sel (i?) = 

{J{der\\/ (simplify '(R' o Fo R), {R} U TZ, TZi) \ R' G fti, 

F € sel(i?) such that R 1 o Fo R is defined } otherwise 
derivable(F, TZx) = deriv(F => F, 0, TZi) 

Figure 4: Solving algorithm 

The second phase searches the facts that can be inferred from TZi = saturate(7^o)- 
This is simply a backward depth-first search. The call derivable^, TZi) returns a set of 
clauses R = H =>- C with empty selection, such that R can be obtained by resolution 
from TZ\, C is an instance of F, and all instances of F derivable from TZi can be 
derived by using as last clause a clause of derivable(F, TZi). (Formally, if F 1 is an 
instance of F derivable from TZ\, then there are a clause H ^ C G derivable(F, TZi) 
and a substitution a such that F' = aC and oH is derivable from TZi .) 

The search itself is performed by deriv(i?, TZ, TZi). The function deriv starts with 
R = F F and transforms the hypothesis of R by using a clause R' of TZi to 
derive an element F of the hypothesis of R. So R is replaced with R' o Fo R (third 
case of the definition of deriv). The fact F is chosen using the selection function sel. 
The obtained clause R' op R is then simplified by the function simplify' defined in 
Section 6.2. (Hence deriv derives the hypothesis of R using a backward depth-first 
search. At each step, the clause R can be obtained by resolution from clauses of TZi, 
and R concludes an instance of F.) The set TZ is the set of clauses that we have already 
seen during the search. Initially, TZ is empty, and the clause R is added to TZ in the third 
case of the definition of deriv. 

The transformation of R described above is repeated until one of the following two 
conditions is satisfied: 

• R is subsumed by a clause in TZ: we are in a cycle; we are looking for instances 
of facts that we have already looked for (first case of the definition of deriv); 

• sel(i?) is empty: we have obtained a suitable clause R and we return it (second 
case of the definition of deriv). 



deriv(i?, TZ,TZi) 
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6.2 Simplification Steps 



Before adding a clause to the clause base, it is first simplified using the following 
functions. Some of them are standard, such as the elimination of tautologies and of 
duplicate hypotheses; others are specific to protocols. The simplification functions 
take as input a clause or a set of clauses and return a set of clauses. 

Decomposition of Data Constructors A data constructor is a constructor / of arity 
n that comes with associated destructors gi for i e {1, . . . ,n} defined by gi(f(x\, 
. . . , x n )) — > Xi. Data constructors are typically used for representing data structures. 
Tuples are examples of data constructors. For each data constructor /, the following 
clauses are generated: 



Therefore, at t acker (/(pi, . . . ,p n )) is derivable if and only if Mi E {1, . . . , n}, 
attacker(pi) is derivable. So the function decomp transforms clauses as follows. When 
a fact of the form attacker(/(p 1; . . . ,p n )) is met, it is replaced with attacker(pi) A 
... A attacker(p n ). If this replacement is done in the conclusion of a clause 
H =>■ attacker(/(pi, . . . ,p n )), n clauses are created: H =>- attacker(pi) for each 
i G {1, . . . , n}. This replacement is of course done recursively: if pi itself is a data 
constructor application, it is replaced again. The function decomphyp performs this de- 
composition only in the hypothesis of clauses. The functions decomp and decomphyp 
leave the clauses (Rf) and (Rg) for data constructors unchanged. (When attacker(x) 
cannot be selected, the clauses (Rf) and (Rg) for data constructors are in fact not 
necessary, because they generate only tautologies during resolution. However, when 
attacker(x) can be selected, which cannot be excluded in extensions such as the one 
presented in Section 9.3, these clauses may become necessary for soundness.) 

Elimination of Tautologies The function elimtaut removes clauses whose conclu- 
sion is already in the hypotheses, since such clauses do not generate new facts. 

Elimination of Duplicate Hypotheses The function elimdup eliminates duplicate 
hypotheses of clauses. 

Elimination of Useless attacker(x) Hypotheses If a clause H =$> C contains in its 
hypotheses attacker(x), where x is a variable that does not appear elsewhere in the 
clause, the hypothesis attacker(x) is removed by the function elimattx. Indeed, the 
attacker always has at least one message, so attacker(x) is always satisfied. 

Secrecy Assumptions When the user knows that a fact F will not be derivable, he 
can tell it to the verifier. (When this fact is of the form attacker(p), the user tells that 
p remains secret; that is why we use the name "secrecy assumptions".) Let F n ot be a 
set of facts, for which the user claims that no instance of these facts is derivable. The 



attacker(a;i) A . 
attacker(/(a;i, . 



A attackcr(a;„) =>■ attacker(/(a;i, . . . , x n )) 
,x n )) => attacker(a;i) 



(Rf) 
(Rg) 
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solve P( ; i/mt (F) = 

1. Letfti = saturate^p^/nit). 

2. For each F' G T not , if derivable^', TZi) ^ 0, then terminate with error. 

3. Return derivable^, Ki). 

Figure 5: Summary of the solving algorithm 

function elimnot removes all clauses that have an instance of a fact in T no t in their 
hypotheses. As shown in Figure 5, at the end of the saturation, the solving algorithm 
checks that the facts in J- no t are indeed underivable from the obtained clauses. If 
this condition is satisfied, solve p^i n it{F) returns clauses that conclude instances of F. 
Otherwise, the user has given erroneous information, so an error message is displayed. 
Even when the user gives erroneous secrecy assumptions, the verifier never wrongly 
claims that a protocol is secure. 

Mentioning such underivable facts prunes the search space, by removing useless 
clauses. This speeds up the search process. In most cases, the secret keys of the 
principals cannot be known by the attacker, so examples of underivable facts are 
attacker(sfcA[]) and attacker(sfc_B[]). 

Elimination of Redundant Hypotheses When a clause is of the form H A H ' => C, 
and there exists a such that aH C H' and a does not change the variables of H' and 
C, then the clause is replaced with H' =>• C by the function elimredundanthyp . These 
clauses are semantically equivalent: obviously, H' => C subsumes HAH' =>■ C; 
conversely, if a fact can be derived by an instance a'H' =>■ a'C of H' C, then it 
can also be derived by the instance a' aH A a' H' a'C of H A H' =>• C, since the 
elements of a'aH can be derived because they are in a'H'. 

This replacement is especially useful when H contains m-event facts. Otherwise, 
the elements of H could be selected and transformed by resolution, until they are of 
the form attacker(a;), in which case they are removed by elimattx if ax ^ x (because 
x does not occur in H' and C since a does not change the variables of H' and C) 
or by elimdup if ax = x (because attackcr(a;) = erattacker(x) £ aH C H'). In 
contrast, m-event facts remain forever, because they are unselectable. Depending on 
user settings, this replacement can be applied for all H , applied only when H contains 
a m-cvcnt fact, or switched off, since testing this property takes time and slows down 
small examples. On the other hand, on big examples, such as some of those gener- 
ated by TulaFale [12] for verifying Web services, this technique can yield important 
speedups. 

Putting All Simplifications Together The function simplify groups all these simpli- 
fications. We define simplify = elimattx o elimtaut o elimnot o elimredundanthyp o 
elimdup o decomp. In this definition, the simplifications are ordered in such a way that 
simplify o simplify — simplify, so it is not necessary to repeat the simplification. 

Similarly, simplify' = elimattx o elimnot o elimredundanthyp o elimdup o 
decomphyp. In simplify', we use decomphyp instead of decomp, because the conclu- 
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sion of the considered clause is the fact we want to derive, so it must not be modified. 

6.3 Soundness 

The following lemmas show the correctness of saturate and derivable (Figure 4). 
Proofs can be found in Appendix C. Intuitively, the correctness of saturate expresses 
that saturation preserves derivability, provided the secrecy assumptions are satisfied. 

Lemma 2 (Correctness of saturate) Let F be a closed fact. If for all F' £ T not , 
no instance of F' is derivable from saturate(7?.o) U f mc , then F is derivable from 
TZq U f mc if and only if F is derivable from saturate(7?.o) U f mc . 

This result is proved by transforming a derivation of F from TZo UFme into a derivation 
of F (or a fact in Fnot) from saturate(7\L ) U f me . Basically, when the derivation 
contains a clause R' with sel(-R') ^ 0, we replace in this derivation two clauses R, 
with sel(-R) = 0, and R' that have been combined by resolution during the execution 
of saturate with a single clause R o Fo R'. This replacement decreases the number 
of clauses in the derivation, so it terminates, and, upon termination, all clauses of the 
obtained derivation satisfy sel(-R') = so they are in saturate(7?.o) U f me . 

Intuitively, the correctness of derivable expresses that if F', instance of F, is deriv- 
able, then F' is derivable from TZ\ by a derivation in which the clause that concludes 
F' is in derivable(F, TZi), provided the secrecy assumptions are satisfied. 

Lemma 3 (Correctness of derivable) Let F' be a closed instance of F. If for all 
F" £ J- no t, derivable^", TZi) = 0, then F' is derivable from TZi U T mc if and only 
if there exist a clause H => C in derivable(F, TZi) and a substitution a such that 
oC = F' and all elements of oH are derivable from TZi U f me . 

Basically, this result is proved by transforming a derivation of F 1 from 1Z\ U f me into 
a derivation of F 1 (or a fact in JT not ) whose last clause (the one that concludes F') is 
H =>■ C and whose other clauses are still in TZ\ U T mc . The transformation relies on 
the replacement of clauses combined by resolution during the execution of derivable. 

It is important to apply saturate before derivable, so that all clauses in TZ\ have no 
selected hypothesis. Then the conclusion of these clauses is in general not attacker(x) 
(with the simplifications of Section 6.2 and the selection function selo, it is never 
attacker (x)), so that we avoid unifying with attackcr(x). 

Finally, the following theorem shows the correctness of solvep^/„ it (Figure 5). 
Below, when we require that solvep^ ; /„^ (F) has a certain value, we also implicitly 
require that solve p^j nit (F) does not terminate with error. Intuitively, if an instance 
F' of F is satisfied by a trace T, then F' is derivable from 1Zp>j nit U f me , so, by the 
soundness of the solving algorithm, it is derivable by a derivation whose last clause is in 
solve p^init(F)- Then there must exist a clause H => C £ solve P ^ Init (F) that can be 
used to derive F', so F' = uC and the hypothesis oH is derivable from 1Z P > j^Uj 7 ^. 
In particular, the events in aH are satisfied, that is, are in f me , so these events have 
been executed in the trace T. Theorem 2 below states this result formally. It is proved 
by combining Lemmas 2 and 3, and Theorem 1. 
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Theorem 2 (Main theorem) Let P be a closed process and Pq = instr(P )- Let Q 
be an Init- adversary and Q' = instrAdv(Q). 

Consider a trace T = S ,E Q ,{P^Q'} ->* S',E',P', with fn(P^) U Init C 
dom(Eo) and Eo(a) — a[]for all a G dom(Eo). 

If T satisfies an instance F' of F, then there exist a clause H =>- C G 
solve i ni t (F) and a substitution a such that F' = aC and, for all m-event(p) in 
aH, T satisfies event (p). 

Proof Since for all F" G T not , derivable(F", TZi) = 0, by Lemma 3, no instance of 
F" is derivable from IZi U !F me = saturate(7£p^j n jt) U This allows us to apply 
Lemma 2. 

Let f me = {m-event(p') | T satisfies event (p')}. By Theorem 1, since T sat- 
isfies F' , F' is derivable from Ttp'jnn U f mc . By Lemma 2, F' is derivable from 
saturate(7?.p ( j./„i t )U7 : mo = 7£iU.F m e. By Lemma 3, there exist a clause R = H => C 
in so\vep£j nit (F) = derivable(F, TZi) and a substitution a such that ctC = F' and all 
elements of aH are derivable from 7?4 U J- m c- For all m-event(p) in aH, m-event(p) 
is derivable from TZ\ U Since no clause in TZ\ has a conclusion of the form 

m-event(p'), m-event(p) G f me , Given the choice of T mc , this means that T satisfies 
event (p). □ 

Theorem 2 is our main correctness result: it allows one to show that some events 
must have been executed. The correctness of the analysis for correspondences follows 
from this theorem. 

Example 8 For the process P of Section 2.3, Init = {c}, and P 1 = instr(P), our tool 
shows that 

solvep/ ! /„ it (event(es(xi,a;2,a;3,a;4))) = {m-cvcnt(ei(pfc A , pk B ,p a )) A 

m-evcnt(e 2 (pk A ,pk B ,p a7 p b )) A 
m-event ( e 3 (pk A , pk B , p a , p b ) ) 
=> event(e B (pk A ,pk B ,p a ,p b ))} 

where pk A = pk(sk A []), pk B = pk(sk B []), p a = a[pk B ,i A ] 
p b = b[pencrypt, p ((p a ,pk A ),pk B ,ri[pk B ,i A }),i B ] 

By Theorem 2, if T satisfies event(es(pi,p2,P3,P4)), this event is an instance of 
event(es(xi, X2, £3, Xi)), so, given the value of solvep/ ,imt(event(eB(xi, X2, £3, 
X4))), there exists a such that event(ep(pi,p 2 ,p 3 ,p4)) = &event(eB(pk A , pk B ,p a , 
Pb)) and T satisfies 

event(aei(pk A ,pk B ,p a )) = event (ei(pi,p 2 ,p 3 )) 
event(ae2{pk Al pk Bl p a ,pb)) = event (e 2 (pi,p 2 ,p 3 ,p 4 )) 
event(ae 3 (pk A ,pk B ,p a ,p b )) = event(e 3 (pi,p 2 ,p 3 ,p 4 )) 

Therefore, if event (es (Mi, M2, M 3 , M4)) has been executed, then event(ei(Mi, 
M 2 ,M 3 )), event(e 2 (Mi,M 2 ,M3,M 4 )), and event (e 3 (Mi, M 2 , M 3 , M 4 )) have 
been executed. 
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7 Application to Correspondences 



7.1 Non-injective Correspondences 

Correspondences for instrumented processes can be checked as shown by the following 
theorem: 

Theorem 3 Let Po be a closed process and Pq = instr(P ). Let pjk (j G {1, . . . , m}, 
k G {1, . . . , lj}) be patterns; let F and Fj (j G {1, . . . , m}) be facts. Assume that 
for all R G solve p^ j nit (F), there exist j G {1, . . . , m}, a', and H such that R = 
H A m-event((j'pji) A ... A m-event^'pjZj ) => a' Fj. 

Then Pq satisfies the correspondence F Vj=i (Fj ~* Afc=i cven ^(Pjk)j 
against Init-adversaries. 

Proof Let Q be an /mt-adversary and Q' = instrAdv(Q). Consider a trace T = 
So,E ,{P^,Q'} ->* S',E',V, with fn(P^) U Init C dom(E ) and E (a) = a[] 
for all a G dom(E ). Assume that T satisfies oF . By Theorem 2, there exist R = 
H' => C G solvep^/TO^F) and <r" such that crP = <t"C" and for all m-event(p) 
in a" H' , T satisfies event (p). All clauses P in solvep' j /„j t (F) are of the form H A 
m-event(cr'pji) A ... A m-event((j / pj/ j ) => cr'Pj for some j and er'. So, there exist j 
and er' such that for all k G {1, . . . , lj}, m-event(cr'pjfc) S iP and C = a 1 Fj. Hence 
aF = o"G = o"o'Fj and for all k G {1, . . . , Zj}, m-event (c/Vpjk) G o"H\ so T 
satisfies event (cr'Vpjfc), so we have the result. □ 

From this theorem and Lemma 1, we obtain correspondences for standard pro- 
cesses. 

Theorem 4 Let P be a closed process and Pq = instr(P ). Let Mjk (j G {1, . . . , 
m), k G {1, . . . , lj}) be terms; let a and a.j (j G {1, . . . , m}) be atoms. Letpjk, F, Fj 
be the patterns and facts obtained by replacing names a with patterns o[] in the terms 
and atoms Mjk, a, ctj respectively. Assume that, for all clauses R in so\yep^ j nit (F), 
there exist j G {1, . . . , m}, a', and H such that R = H A m- event (cr'pji) A ... A 
m-event(<7'pjZj ) => a 1 Fj. 

Then Pq satisfies the correspondence a => Vj=i ( a j Afe=i event(Mjfe)^ 
against Init-adversaries. 

Example 9 For the process P of Section 2.3, Init — {c}, and P' = instr(P), 
the value of solvep/ i /„it(event(es(a;i, X2, £3, X4))) given in Example 8 shows that 
P satisfies the correspondence event(es(^i, #2, %3, #4)) ~» event(ei(:ri, X2, #3)) A 
event(e2(xi, X2, £3, X4)) A event(es(a;i, X2, £3, X4)) against /nit-adversaries. 

As particular cases of correspondences, we can show secrecy and non-injective 
agreement: 

Corollary 1 (Secrecy) Let Po be a closed process and Pq — instr(Po). Let N be a 
term. Let p be the pattern obtained by replacing names a with patterns a[] in the term 
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N. Assume that so\vep^j nit (attacker(p)) = 0. Then Pq preserves the secrecy of all 
instances of N from Init. 

Intuitively, if no instance of attacker(p) is derivable from the clauses representing the 
protocol, then the adversary cannot have an instance of the term N corresponding to p. 

Example 10 For the process P of Section 2.3, Init = {c}, and P' = instr(P), our 
tool shows that solvep'j„ it (attacker(s^4a[])) = 0. So P preserves the secrecy of sA a 
from Init. The situation is similar for sAb, sBa, and sBb. 

Corollary 2 (Non-injective agreement) Let P be a closed process and Pq = 
instr(Po). Assume that, for each R G solvep' j /„jt(event(e(a;i, . . . ,x n ))) such that 
R = H => event (e(pi, . . . ,p n )), we have m-event(e'(pi, . . . ,p n )) S H. Then Po 
satisfies the correspondence event (e(a;i, . . . , x n )) event(e'(a;i, . . . , x n )) against 
Init-adversaries. 

Intuitively, the condition means that, if event(e(pi, . . . ,p n )) can be derived, 
m-event(e'(pi, . . . ,p n )) occurs in the hypotheses. Then the theorem says that, if 
event (e(Mi, . . . , M n )) has been executed, then event (e' (Mi, . . . , M n )) has been 
executed. 

Example 11 For the process P of Section 2.3, Init = {c}, and P' = instr(P), the 
value of solvep',j n it(event(es(a;i,a;2,a;3,a;4))) given in Example 8 also shows that 
P satisfies the correspondence event (es (xi, X2,X3,X4,)) ~» event (es(x\,X2, X3,X4)) 
against inzi-adversaries. The tool shows in a similar way that P satisfies the cor- 
respondence event(eA{xi,X2,x 3 ,X4)) event(e2(#i, X2, X3, X4)) against Init- 
adversaries. 

7.2 General Correspondences 

In this section, we explain how to prove general correspondences. Moreover, we also 
show that, when our verifier proves injectivity, it proves recentness as well. For exam- 
ple, when it proves a correspondence event(M) ~> inj event(M'), it shows that, when 
the event event(M) has been executed, not only the event event(M') has been exe- 
cuted, but also this event has been executed recently. As explained by Lowe [54], the 
precise meaning of "recent" depends on the circumstances: it can be that event (M) 
is executed within the duration of the part of the process after event(M'), or it can be 
within a certain number of time units. Here, we define recentness as follows: the run- 
time of the session that executes event (M) overlaps with the runtime of the session 
that executes the corresponding event(M') event. 

We can formally define recent correspondences for instrumented processes as fol- 
lows. We assume that, in Po, the events are under at least one replication. We define 
an instrumented process Pq = instr'(Po), where instr'(Po) is defined like instr(Po), 
except that the events event(M) in Po are replaced with event(M, i), where i is the 
session identifier that labels the down-most replication above event (M) in P . The 
session identifier i indicates the session in which the considered event is executed. 
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When k — k\ . . . k n is a non-empty sequence of indices, we denote by k |~ the 
sequence obtained by removing the last index from k: k\= k\ . . . k n -\. 

Definition 14 Let P be a closed process and Pq = instr'(P ). We say that Pq satisfies 
the recent correspondence 

ml lj 

event (p) => \f event (p'j) ~* f\[^j]jkqjk 
j=i \ k=l 

where 

m-rr- l-Tj- . 

jk jkj 

q-jj: = cvent(p^) ~* \J f\ [m^ jk q^ jk 

j = l k=l 

against Tmi-adversaries if and only if for any /m£-adversary Q, for any trace T = 
S ,E , {P^Q'} S',E',V, with Q' = instrAdv(Q), E (a) = a[] for all a e 
dom(E ), and /n(Po) U Init C dom(E ), there exists a function 0^ for each non- 
empty jk, such that for all non-empty jk, (j>j^ maps a subset of steps of T to steps of 
T and 

• For all t, if the event event(ap, A e ) is executed at step r in T for some cr and 
A e , then there exist a' and J = {j k ) k such that cr'p^ = crp and, for all non- 
empty k, makcjk( fe^)(r) is defined, event(a'p makcjk(] : . 7) , \ k ) is executed at 

ste P < / , makcjk(I,./)( T ) in T ' and if NLakojkftj) = in j' then the runtimes of 
session(A-^) and session(A^-) overlap (recentness). 

The runtime of session(A) begins when the rule S,E,V U { \ l P } — > S \ {A}, 
E,V D { P{\/i}, \ l P } is applied and ends when P{X/i} has disappeared. 

• For all non-empty jk, if [injjjj: = inj, then (f^ is injective. 

• For all non-empty jk, for all j and k, if <pjkj k {r) is defined, then <A^t(t) is 
defined and <i^ klk {j) < <A^t(t). For all j and fc, if 4>jk{r) is defined, then 

<Ajfc(r) < r. 

We do not define recentness for standard processes, since it is difficult to track formally 
the runtime of a session in these processes. Instrumented processes make that very easy 
thanks to session identifiers. It is easy to infer correspondences for standard processes 
from recent correspondences for instrumented processes, with a proof similar to that of 
Lemma 1. 

Lemma 4 Let Pq be a closed process and Pq = instr'(Po). Let Mj^, M, and Mj be 
terms. Let Pj^^p^p'^ be the patterns obtained by replacing names a with patterns a[] 
in the terms Mj^, M, Mj respectively. If Pq satisfies the recent correspondence 

ml lj 

evcnt(p) => \J event (p^-) f\ [mj] jk q jk 



k=l 
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where 

m — l jk 3 

qjj: = event(^) ~» V A Mjkjktjkjk 

3=1 k=l 

against Init-adversaries then Pq satisfies the correspondence 

ml lj \ 

cvent(M) => \/ event(Mj) ~* f\ [mj} jk q' jk 

3 = 1 V k=1 J 

where 

m jk l jkj 

4 = event(M^) - V A Mjkjk^kjk 

3 = 1 k=l 

against Init-adversaries. 

Let Pq be a closed process and Pq = instr' {Pq). We adapt the generation of clauses 
as follows: the set of clauses lZ' Pj , Init is defined as TZp^j nit except that 

(M(N).PjpH = \P\pH U {H{p lVoUV ja} => mess ag e(p(M),p(N))} 
fPjpH = [P\(p[i ~ i])(H{p lVoUV jn}) 

levent(M,i).P}pH = \P]p(H A m-event(p(M), □)) U {H => event(p(M), i)} 

where □ is a special variable. The predicate event has as additional argument the ses- 
sion identifier in which the event is executed. The predicate m-event has as additional 
argument an environment p that gives values that variables will contain at the first out- 
put or replication that follows the event; □ is a placeholder for this environment. We 
define solve^ Init as solvep^./nrf except that it applies to lZ' pl Init instead of TZp^i nit . 

Let us first consider the particular case of injective correspondences. We consider 
general correspondences in Theorem 5 below. 

Proposition 2 (Injective correspondences) Let Pq be a closed process and Pq = 
instr' (Pq). We assume that, in Pq, all events are of the form event(/(Mi, . . . , M n )) 
and that different occurrences of event have different root function symbols. 

We also assume that the patterns p,p'j,pjk satisfy the following conditions: p and 
Pj f or 3 G {!)•••) m \ are of the form /(. . .) for some function symbol f and for all j, 
k such that [inj]jfc = inj, pjk = fjk(- ■ ■) for some function symbol fjk- 

Let solve P / 7nit (event(p, i)) = {Rj r \ j € {1, • • • , m}, r G {1, . . . , rij}}. Assume 
that there exist Xjk, ij r , and pj r k (j G {1, . . . , to}, r G {1, . . . , rij}, k G {1, . . . , lj}) 
such that 

• For all j G {1, . . . , to}, for all r G {1, . . . , rij}, there exist H and a such that 
Rj r = H A m- event ( apj i, Pj T i) A ... A m-even^crp^ , pj r \. ) event(<7^-, 

ijr)- 

• For all j G {1, . . . , m}, for all r and r' in {1, . . . , rij}, for all k G 
{l,...,lj} such that [inj]jfe = inj, Pj r k{xjk){^/ijr} does not unify with 
Pj r 'k(xjk){^' /ijr'} when A ^ A'. 
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Then P(, 



o satisfies the recent correspondence 




event(p) \J event(^) ~* /\ [inj] jfe event(p.,- fe ) 
j=i \ k=i 



against Init-adversaries. 

This proposition is a particular case of Theorem 5 below. It is proved in Appendix E. 
By Theorem 3, after deleting session identifiers and environments, the first item shows 
that Pq satisfies the correspondence 



The environments and session identifiers as well as the second item serve in prov- 
ing injectivity. Suppose that [inj]^ = inj, and denote by _ an unknown term. 
If two instances of event(p, i) are executed in Pq for the branch j of the corre- 
spondence, by the first item, they are instances of event (<7j r £^-, ij r ) for some r, 
so they are event(a' 1 aj ri p'j 7 <j' 1 ij ri ) and event(a' 2 (Tj r2 p' J ■, a' 2 ijr 2 ) f° r some <j[ and 
a 2 . Furthermore, there is only one occurrence of event(/(. . .), i) in Pq, so the 
event event (/(. . can be executed at most once for each value of the session 
identifier i, so o-[ij ri ^ &' 2 ijr 2 - Then, by the first item, corresponding events 
event(a[aj ri pjk, -) and event(a' 2 aj r2 pjk, -) have been executed, with associated en- 
vironments cr'iPjnk an d < J 2Pjr 2 k- By the second item, pj ri k(xjk){Xi/ij ri } does not 
unify with Pjr 2 k(%jk){^2/ijr 2 } f° r different values Ai = cr[ij ri and A2 = cr' 2 ij r2 of 
the session identifier. (In this condition, n can be equal to r 2 , and when n = r 2 = r, 
the condition simply means that ij r occurs in Pj r k) So o-'iPj ri k(%jk) 7^ &2Pjr 2 k{%jk), 
so the events e vent (a [ <jj ri p 3 k ), -) and event(a 2 (Tj r2 pjk), -) are distinct, which 
shows injectivity. This point is very similar to the fact that injective agreement is 
implied by non-injective agreement when the parameters of events contain nonces gen- 
erated by the agent to whom authentication is being made, because the event can be 
executed at most once for each value of the nonce. (The session identifier ij r in our 
theorem plays the role of the nonce.) [Andrew Gordon, personal communication]. 

Corollary 3 (Recent injective agreement) Let P be a closed process and Pq = 
instr'(P ). We assume that, in P , all events are of the form event(/(M l7 . . . , M k )) 
and that different occurrences of event have different root function symbols. Let 
{Pi, . . . , R n } = solve^ Init (event(e(xi, . . . , x m ),i)). Assume that there exist x, 
i r , and p r (r S {1, . . . , n}) such that 

• For allr e {1, . . . , n}, R r — H A m-event(e'(pi, . . . ,p m ), Pr) => event(e(pi, 
. . . , p rn ), i r )far some pi,..., p m , and H. 

• For all r and r' in {1, . . . , n}, p r (x){X/i r } does not unify with p r i(x){\' /i r >} 
when X ^ A'. 




(13) 
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Then Pq satisfies the recent correspondence event (e(xi, . . . , x m )) inj event(e'(xi, 
. . . , x m )) against Init-adversaries. 

Proof This result is an immediate consequence of Proposition 2. □ 

Example 12 For the process P of Section 2.3, P' = instr'(P), and Init = {c}, we 
have 

solve'p, ;J „ it (event(e s (a;i, x 2 , x 3 , x 4 ), i)) = 

{H A m-cvcnt(e 3 (pfc A , pk B ,a[pk B , i A0 ], b\pi, im]), p) 

=> event(e B (pk A , pk B ,a[pk B , i A0 ], 6[pi, i B o\), «bo)} 
where pk A = pk(sk A []), pk B = pk(sk B []) 

Pi = pencrypt p ((a[pk B ,i A0 ],pk A ),pk B ,r 1 [pk B ,i A0 }) 

p 2 = pencrypt p {{a\pk B ,i A Q],b\p 1 ,i B o],pk B ),pk A ,r 2 \p\,iBo]) 

p = {i A ^ i A0 , xjpk B i ^ pk B ,m i-> p 2 } 

Intuitively, this result shows that each event e B (pk A , pk B , a[pk B , i A o], b]p\, i B o\), 
executed in the session of index i B = i B0 is preceded by an event e 3 {pk A ,pk B , 
a[pk B , i A o], b[pi,i B o\) executed in the session of index i A = i A o with xjpk B = pk B 
and m = p 2 . Since i B0 occurs in this event (or in its environment 4 ), different ex- 
ecutions of e B , which have different values of i B0 , cannot correspond to the same 
execution of e 3 , so we have injectivity. More formally, the second hypothesis of Corol- 
lary 3 is satisfied because p(m){X/i B o} does not unify with p(m){\' /i B o} when 
A 7^ A', since i Bn occurs in p(m) = p 2 . Then, P' satisfies the recent correspondence 
event(es(xi, x 2 , x 3 , X4)) inj event(e3(xi, x 2 , x 3 , X4)) against /nit-adversaries. 

The tool shows in a similar way that P' satisfies the recent correspondence 
event(eA(xi,X2,X3, X4)) ~-+ inj event(e 2 (xi,x 2 , x 3 , X4)) against /nzi-adversaries. 

Let us now consider the case of general correspondences. The basic idea is 
to decompose the general correspondence to prove into several correspondences. 
For instance, the correspondence event (e B (xi , x 2 , x 3 , £4)) (event(e 3 (xi,x 2 ,X3, 
x 4 )) ~» event(e2(xi, x 2 , X3, X4))) is implied by the conjunction of the correspon- 
dences event (e B (xi, X2, X3, X4)) ~+ event(es(xi,X2,X3,X4)) and event (e3(xi,X2 , 
£37X4)) ~» event(e2(xi, x 2 , x 3 , x 4 )). However, as noted in Section 3.3, this proof 
technique would often fail because, in order to prove that e 2 (xi, x 2 , x 3 , X4) has been 
executed, we may need to know that e B {x\, x 2 , X3, X4) has been executed, and not 
only that es(x\, x 2 , x 3 , X4) has been executed. To solve this problem, we use the fol- 
lowing idea: when we know that e B (xi, x 2 , x 3 , x 4 ) has been executed, we may be 
able to show that certain particular instances of e 3 (xi , x 2 , x 3 , x 4 ) have been executed, 
and we can exploit this information in order to prove that e 2 {x\, x 2 , X3, X4) has been 
executed. In other words, we rather prove the correspondences event(e_e(xi, x 2 , x 3 , 
X4)) => \/^=i cr i-event(e_B(xi, X2, x 3 , x 4 )) ^ a r event(e 3 (xi, x 2 , x 3 , x 4 )) and for all 

4 In general, the environment may contain more variables than the event itself, so looking for the session 
identifiers in the environment instead of the event is more powerful. 
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r < m, cr r event(e3(xi, x<i, £3, £4)) ~» cr r event(e2(a;i, X2, £3, #4)). When the con- 
sidered general correspondence has several nesting levels, we perform such a decom- 
position recursively. The next theorem generalizes and formalizes these ideas. 

Below, the notation (Envjj:)^ represents a family Envjj: of sets of pairs (p, i) 
where p is an environment and i is a session identifier, one for each non-empty jk. 
The notation (Env - k j^)j^ represents a subfamily of (Env-j^)-^ in which the first two 
indices are jk, and this family is reindexed by omitting the fixed indices jk. 

Theorem 5 Let P be a closed process and Pq — instr'(P ). We assume that, in P , 
all events are of the form event (/(Mi, . . . , M„)) and that different occurrences of 
event have different root function symbols. 

Let us define verify (q' , (Envjj:)^), where jk is non-empty, by: 

VI. If q' = cvent(p) for some p, then verify(g', (Envj^)jj:) is true. 

V2. If q' = cvcnt(p) => \f"L 1 (event (pj) ~* Ak=i N]jfe^ fe ) and q' jk = 
event(pjfe) . . .for some p, p'j, and pjk, where m ^ 1, lj ^ 0, or p ^ p[, 
then verify (q' , (Env-^)-^) is true if and only if there exists {<Tj r )j r such that the 
following three conditions hold: 

V2.1. We have solve'p/ Init (event (p, i)) C {H A/\ k=1 m-event((Tj r Pj7 s , Pj r k) => 
event (tTjrP^-, ij r ) for some H, j G {1, . . . , to}, r, and {pj r k, ijr) £ Envjk 
for all k}. 

V2.2. For all j, r, k , the common variables between <Jj r q'jk 011 tne one hand and 
(JjrP'j and crj r q'j k for all k 7^ fco on the other hand occur in Uj r pjk a . 

V2.3. For all j, r, k, vemfy(<jj r q' jk , (Env jk -jk)jk) is true - 
Consider the following recent correspondence: 

m j h 

q = cvcnt(p) => \J event (pj) f\ [m]] jk qjk 
3=1 \ fe=i 

where 

m — l jkj 

qjj: = event(p jr ) - V A ^jkjktjkjk 
j=l fc=l 

We assume that the patterns in the correspondence satisfy the following conditions: p 
and p'j for j G {1, . . . , to} are of the form /(. . .) for some function symbol f and, for 
all non-empty jk such that [inj]^- = inj, pj^ — fj^(- ■ -)for some function symbol fj^. 
We also assume that z/inj occurs in qj^, then [inj]-^ = inj. 

Assume that there exist {Env^jj: and (xj^)j^, where jk is non-empty, such that 

HI. verify^, {Envj^j^) is true. 

H2. For all non-empty jk, if [inj]j^ = inj, then for all (p,i), (p' G Env-j^, 
p{xji:){\/i} does not unify with p'(xj k -){X' /i'} when X ^ A'. 
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Then Pq satisfies the recent correspondence q against Init-adversaries. 

This theorem is rather complex, so we give some intuition here. Its proof can be found 
in Appendix E. 

Point V2. 1 allows us to infer correspondences by Theorem 3: after deleting session 
identifiers and environments, Pq satisfies the correspondences: 



event(p) => \J I event (o~j r p'j) ~~> /\ event{aj r pjk) (14) 

j=l..m,r \ k—1 

and, using the recursive calls of Point V2.3, 



event(a^^) \J event (a^.^) ^ /\ event(a^. r ^. fe ) 

j =i -- m — > r \ fe=i 

(15) 

against /m£-adversaries, where <j!—^ = a^-r . a^-rr ■ ■ ■ &ir and we denote by a—r . 

b ' jrkjr jrkjr jrk\ J r J jrkjr 

the substitution <Tj r obtained in recursive calls to verify indexed by jrk. In order to 
infer the desired correspondence, we need to show injectivity properties and to combine 
the correspondences (14) and (15) into a single correspondence. Injectivity comes from 
Hypothesis H2: this hypothesis generalizes the second item of Proposition 2 to the case 
of general correspondences. 

The correspondences (14) and (15) are combined into a single correspondence us- 
ing Point V2.2. We illustrate this point on the simple example of the correspondence 
event(p) =^> (event^) (event(pn) event(pim))). By V2.1 and the recursive 
call of V2.3, we have correspondences of the form: 

event(p) =^> \J (event(ai r p' 1 ) ~» event(cri r pii)) (16) 

r 

event(cri r pn) =4> \J (event((Ti r ii r /0'i r pii) — > event(cri r ii r /cri r p m i)) (17) 

r' 

for some o \ T and cr lrllr i. The correspondence (17) implies the simpler correspondence 

event(tJi r pn) event(<7i r piin). (18) 

Furthermore, if an instance of event(p) is executed, e\ = event(crp), then by (16), 
for some r and a[ such that op = a[crirPi, the event e 2 = event (a^crirPii) has 
been executed before e\. By (18), for some a' 2 such that o' x o\ r p\\ — o' 2 o\ r p\\, 
the event e 3 = event^cirPmi) has been executed before e2. We now need to 
reconcile the substitutions a[ and cr 2 ; this can be done thanks to V2.2. Let us de- 
fine a" such that a" x = a' x x for x 6 fv{a\ r pu) U /^(cirPi) and a" x = a' 2 x 
for x e fv(<7i r piui) U fv(ai r pn). Such a substitution a" exists because the com- 
mon variables between jv{(Ji r pu) U /y^irPi) an ^ .M^irPini) U fv(ai r pn) oc- 
cur in <J\ r p\\ by V2.2, and for the variables x E fv{ci r pii), cr[x — a' 2 x since 
a^airPn — (J 2 (JirPii- So, for some r and a" such that op = o" o\ r p' x , the event 
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e 2 = event(<7"cri r pii) has been executed before e\ and e 3 = event(cr"<7i r pnii) has 
been executed before e 2 . This result proves the desired correspondence event (p) =>• 
(event (p^) ~* (event (pn) ~+ event (pim)). Point V2.2 generalizes this technique to 
any correspondence. 

In the implementation, the hypotheses of this theorem are checked as follows. In 
order to check verify^', {Env-jj:)-^), we first compute solve'p/ (event (p, i)). By 
matching, we check V2.1 and obtain the values of aj r , pj r k, and ij r for all j, r, and k. 
We add (pj r k,ijr) to Envjk- We compute <7j>p^ and <Tj r q'j k for each j, r, and fc, and 
check V2.2 and V2.3. 

After checking verify^', (Envj^jj^), we finally check Hypothesis H2 for each jk. 
We start with a set that contains the whole domain of p for some (p, i) 6 Envj^. For 
each (p, z) and (//, z') in Envj^, we remove from this set the variables x such that 
p(x){A/?} unifies with p'(x){\' /i'} for A ^ A'. When the obtained set is non-empty, 
Hypothesis H2 is satisfied by taking for xj^ any element of the obtained set. Otherwise, 
Hypothesis H2 is not satisfied. 

Example 13 For the example P of Section 2.3, the previous theorem does not enable 
us to prove the correspondence event(es(xi, x 2 , Xs, X4)) ~» (inj event (e$ (xi, X2, X3, 
x 4 )) ~» (inj event(e 2 (xi, x 2 , x 3 , x±)) ~» inj event(ei(xi, x 2 , X3)))) directly. Indeed, 
Theorem 5 would require that we show a correspondence of the form event(ere 2 (xi, 
x 2 ,x 3} x i j) ~> inj event(<7ei(xi,x 2 ,X3)). However, such a correspondence does 
not hold, because after executing a single event e\, the adversary can replay the first 
message of the protocol, so that B executes several events e 2 . 

It is still possible to prove this correspondence by combining the automatic 
proof of the slightly weaker correspondence q = event (es (xi, x 2 , X3, X4)) 
(inj event(e3(xi, X2, X3, X4)) (inj event(ei(xi, x 2 , X3)) A inj event(e2(xi, x 2 , 
X3, X4)))), which does not order the events ei and e 2 , with a simple manual argument. 
(This technique applies to many other examples.) Let us first prove the latter corre- 
spondence. 

Let P' = instr'(P) and Init = {c}. We have 

sol ve'p, Init (event (e B (xi, x 2 , x 3 , x 4 ), i)) = 

{i? A m-event(e 3 (pfe A ,pA; B , a[pk B , i A o], b\pi, ibo]), pm) 
=> cvcnt(e B (pfc j4 , pA; B , a[pfc B , z'ao], %i, «'so]), «so)} 
sol ve'p, t Jnit (event (e 3 (pfc A , pfc B , a[pk B , i A0 ] , %i ,i B o] ) , i) ) = 
{m-event(e 1 (pk A ,pk B ,a[pk B ,i A0 }), pnnn) 
A m-cvent(e 2 (pk A , pk B , a[pk B , i A0 ], 6[p 1; i B0 \), pmm) 
=> cvcnt(e 3 (pk A ,pk B ,a[pk B , i A0 ] , 6[pi , iso]), Mo)} 
where pA; A = pA;(sfc A []), pfc B = pfc(sfcs[]) 

Px = pencrj/pi p ((a[pfc B ,uo],pfeA))PfcB)nb fc B)Mo]) 
p 2 = penary pt p ((a[pk B , i A0 ] , b\pi , z'bo] , pfc B ) , . r 2 [pi , «so] ) 
P111 = P111111 = {m i-» Mo, x_pfc B pk B ,m^ p 2 } 
P111112 = {is i-» iB0,m' i-> pi} 
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Intuitively, as in Example 12, the value of so\ve' P , Init (event(eB(x-i,x 2 ,x 3 ,x 4 ),i)) 
guarantees that each event eB{pk A ,pk B , a[pk B , i A o], b\pi, iso])> executed in the ses- 
sion of index i B = «so is preceded by an event e 3 (pk A ,pk B ,a[pk B ,i A o},b[pi,iBo}) 
executed in the session of index i A — iao with x_pk B = pk B and to = p 2 . 
Since i B0 occurs in this event (or in its environment), we have injectivity. The value 
of so\\ze' P , Init (event(e 3 (pk A ,pk B ,a[pk B ,iAo],b[pi,i BO ]) 1 i)) guarantees that each 
event e 3 (pk A ,pk B ,a[pk B ,i A o],b[pi,iBa\) executed in the session of index i A = iao 
is preceded by events ei(pk A , pk B , a[pk B , i A o}) executed in the session of index i A = 
i A o with x_pk B = pk B and m = p 2 , and e 2 (pk A , pk B , a[pk B , i A0 ], b\p±, iBo]) exe- 
cuted in the session of index i B = ibo with to' = p\. Since i A o occurs in these events 
(or in their environments), we have injectivity. So we obtain the desired correspondence 
event(eB(x\,x 2 ,x 3 ,X4)) ~» (inj event (e3(a;i, x 2 , x 3 , x±)) ~* (inj event(ei(a:i, x 2 , 
x 3 )) A inj event(e 2 (a:i,a:2, #3,0:4)))). 

More formally, let us show that we can apply Theorem 5. We have p = p[ = 
e B {xi,x 2 ,x 3 ,x 4 ), pn = e 3 (xi, x 2 , x 3 , x 4 ), P1111 = e 1 (x 1 , x 2 , x 3 ), p 1112 = e 2 (xi, 
x 2 ,x 3 ,X4). We show verify (q, {Envj^)j^). Given the first value of solve'p/ Init 
shown above, we satisfy V2.1 by letting an — {x\ \— > pk A ,x 2 pk B ,x 3 
a[pk B ,i A0 ],X4 i ► b\pi, Ibo]} an d hi = i-Bo, with (pm,in) € Envu. The common 
variables between <Ti 1(711 = event (63(^^4, pk B , a[pk B , i A o], b\p\, iso])) ~^ (inj 
event(ei(pk A ,pk B ,a[pk B ,i A0 ]))Amj event(e 2 (pk A ,pk B ,a[pk Bl i A0 ],b[pi,i B0 }))) 
andanp[ = eB(pk A ,pk B ,a[pk B ,i AO ],b[pi,iBo\) are i A o andieo, and they occur in 
C11P11 = e 3 (pk A ,pk B ,a[pk B ,i A0 ],b[pi,i B0 ]). So we have V2. 2. Recursively, in 
order to obtain V2.3, we have to show verify (anqn, (Env nj^)j^) ■ Given the sec- 
ond value of solve'p, Init shown above, we satisfy V2.1 by letting aimi = Id and 
iimi = iAo, with (piiiiii.iiiin) G Env uu and (pniii2, Him) G Envm 2 . 
(We prefix the indices with 111 in order to represent that these values concern the 
recursive call with j = 1, r = 1, and fc = 1.) V2.2 holds trivially, because 
ciimCiiO'iiifcQ = <Tniii(Tiievent(piiife ), since the considered correspondence 
has one nesting level only. V2.3 holds because qmi reduces to event (f>im), so 
verify((7iiiii(Tiigiiii, (Env nu j)jj) holds by VI, and the situation is similar for 
?ni2- Therefore, we obtain HI. In order to show H2, we have to find x\\ such 
that /9iii(xii){A/iii} does not unify with p m (arn){A'/in} when A 7^ A'. This 
property holds with x\\ = to, because in = i B0 occurs in p m (m) = p 2 . Simi- 
larly, piiiiii(xiiii){A/iiim} does not unify with /9iiiiii(zim){A7nim} when 
A 7^ A', for xini = i A , since inin = «ao occurs in Phiih^a). Finally, 
/0iini2(a;iii2){A/iiiiii} does not unify with piiiii2(ariii2){A'/iiiiii} when A ^ A' 
for X1112 = to', since inm = Iao occurs in piiin 2 (m') — p\. So, by Theorem 5, 
the process P' satisfies the recent correspondence event(es(a;i, x 2 , x 3 , X4)) ~> (inj 
event(e 3 (xi,o;2, #3,2:4)) ~-> (inj event(ei(xi,x 2 ,x 3 )) A inj event (e 2 (xi, x 2 , x 3 , 
#4)))) against /rut-adversaries. 

We can then show that P' satisfies the recent correspondence event(es(xi, x 2 , 
x 3 ,x 4 )) (inj event(e 3 (o:i, #2,0:3, 0:4)) ~* (inj event(e 2 (x 1 ,x 2 ,x 3 ,x 4 )) ~» inj 
event(e\(xi,x 2 ,x 3 )))). We just have to show that the event e 2 (xi,x 2 ,x 3 ,X4) is ex- 
ecuted after ei(#i,#2, x 3 ). The nonce a is created just before executing ei(xi,x 2 , 
x 3 ) = ei(pk A ,x_pk B ,a), and the event e 2 (#i, #2, # 3 , £4) — e 2 (x-pk A ,pk B ,x_a,b) 
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contains a in the variable X3 — x_a. So e^ has been executed after receiving a message 
that contains a, so after a has been sent in some message, so after executing event e\. 

8 Termination 

In this section, we study termination properties of our algorithm. We first show that it 
terminates on a restricted class of protocols, named tagged protocols. Then, we study 
how to improve the choice of the selection function in order to obtain termination in 
other cases. 

8.1 Termination for Tagged Protocols 

Intuitively, a tagged protocol is a protocol in which each application of a constructor 
can be immediately distinguished from others in the protocol, for example by a tag: for 
instance, when we want to encrypt m under k, we add the constant tag ct to m, so that 
the encryption becomes s encrypt ((do, m),k) where the tag ct is a different constant 
for each encryption in the protocol. The tags are checked when destructors are applied. 
This condition is easy to realize by adding tags, and it is also a good protocol design: 
the participants use the tags to identify the messages unambiguously, thus avoiding 
type flaw attacks [50]. 

In [20], in collaboration with Andreas Podelski, we have given conditions on the 
clauses that intuitively correspond to tagged protocols, and we have shown that, for 
tagged protocols using only public channels, public-key cryptography with atomic 
keys, shared-key cryptography and hash functions, and for secrecy properties, the solv- 
ing algorithm using the selection function sel terminates. 

Here, we extend this result by giving a definition of tagged protocols for processes 
and showing that the clause generation algorithm yields clauses that satisfy the con- 
ditions of [20], so that the solving algorithm terminates. (A similar result has been 
proved for strong secrecy in the technical report [16].) 

Definition 15 (Tagged protocol) A tagged protocol is a process P together with a 
signature of constructors and destructors such that: 

CI. The only constructors and destructors are those of Figure 2, plus equal. 

C2. In every occurrence of M(x) and M(N) in P , M is a name free in Po. 

C3. In every occurrence of /(. . .) with / G {sencrypt, sencrypt p , pencrypt v , sign, 
nmrsign, h, mac} in P , the first argument of / is a tuple (ct, Mi, . . . , M n ), 
where the tag ct is a constant. Different occurrences of / have different values 
of the tag ct. 

C4. In every occurrence of let x — g(. . .) in P else Q, for g s {sdecrypt, 
sdecrypt p , pdecrypt p , checksignature, getmessage} in p>, P = let y = 
lth n (x) in if y = ct then P' for some ct and P'. 

In every occurrence of nmrchecksign in P , its third argument is (ct, Mi, . . . , 
M n ) for some ct, Mi, . . . , M n . 
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C5. The destructor applications (including equality tests) have no else branches. 
There exists a trace of Po (without adversary) in which all program points are 
executed exactly once. 

C6. The second argument of pencrypt p in the trace of Condition C5 is of the form 
pk(M) for some M. 

CI. The arguments of pk and host in the trace of Condition C5 are atomic constants 
(free names or names created by restrictions not under inputs, non-deterministic 
destructor applications, or replications) and they are not tags. 

Condition CI limits the set of allowed constructors and destructors. We could give 
conditions on the form of allowed destructor rules, but these conditions are complex, 
so it is simpler and more intuitive to give an explicit list. Condition C2 states that all 
channels must be public. This condition avoids the need for the predicate message. 
Condition C3 guarantees that tags are added in all messages, and Condition C4 guar- 
antees that tags are always checked. 

In most cases, the trace of Condition C5 is simply the intended execution of the 
protocol. All terms that occur in the trace of Condition C5 have pairwise distinct 
tags (since each program point is executed at most once, and tags at different program 
points are different by Condition C3). We can prove that it also guarantees that the 
terms of all clauses generated for the process P have instances in the set of terms that 
occur in the trace of Condition C5 (using the fact that all program points are executed 
at least once). These properties are key in the termination proof. More concretely, 
Condition C5 means that, after removing replications of P , the resulting process has 
a trace that executes each program point (at least) once. In this trace, all destructor 
applications succeed and the process reduces to a configuration with an empty set of 
processes. Since, after removing replications, the number of traces of a process is 
always finite, Condition C5 is decidable. 

Condition C6 means that, in its intended execution, the protocol uses public-key 
encryption only with public keys, and Condition C7 means that long-term secret (sym- 
metric and asymmetric) keys are atomic constants. 

Example 14 A tagged protocol can easily be obtained by tagging the Needham- 
Schroeder-Lowe protocol. The tagged protocol consists of the following messages: 

Message 1. A -> B : {ct ,a,pk A } p k B 
Message 2. B^A: {cti,a,b,pk B } p k A 
Message 3. A — > B : {ct 2 ,b} p k B 

Each encryption is tagged with a different tag ct , ct\, and ct 2 - This protocol can be 
represented in our calculus by the following process P: 

P A {sk A ,pk A ,pk B ) = \c(x.pk B ).(ua)event(e 1 (pk A ,x.pk B ,a)). 
(Vr i )c(pencrypt p (( ct , a, pk A ) , xjpk B , n )} . 
c(m).let (= cti, = a, xJb, = x_pk B ) = pdecrypt p (m 7 sk A ) in 
eveiLt(e 3 (pk A , x.pk Bl a, xJb)) .(vr 3 )c(pencrypt p ((ct 2 , xJb), x.pk Bl r 3 )) 
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if xjpk B = pk B then event(e A (pk A ,X-pk Bl a,xJ>)). 

c(s encrypt ((ct 3, sAa), a)) .c(sencrypt((ct4, sAb), xJ>)) 
P B (sk B ,pk B ,pk A ) = \c(m').let (= ct\,x_a,X-pk A ) = pdecrypt p (m, sk B ) in 

(vb)event(e2(x-pk A ,pk B , x-a, b)). 

(vr 2 )c(pencrypt p ((ct2,x.a, b,pk B ), x_pk Al r 2 )}. 

c(m").let (= ct 3 ,= b) = pdecrypt p (m" , sk B ) in 

if x_pk A = pk A then event(eB(x-pk A ,pk B ,X-a,b)). 

c(s encrypt ((cts, sBa), X-Ci)} .c(s encrypt ((cte, sBb), b)) 
P T = \c(xi).c(x 2 ).c(x2).{c(xs).c(x4) \ c(x 5 ).c(x 6 )) 
P = (v sk a){v sk B)let pk A = pk(skA) in let pk B = pk(sks) in 

c{pk A )c{pk B ).(P A (sk A ,pk A ,pk B ) \ P B (sk B , pk B , pk A ) \ P T ) 

The encryptions that are used for testing the secrecy of nonces are also tagged, with 
tags ct 3 to ct e . Furthermore, a process Pt is added in order to satisfy Condition C5, 
because, without Pt, in the absence of adversary, the process would block when it tries 
to send the public keys pk A and pk B . The execution of Condition C5 is the intended 
execution of the protocol. In this execution, the process Pt receives the public keys 
pk A and pk B ; it forwards pk B on channel c to P A , so that a session between A and B 
starts. Then A and B run this session normally, and finally output the encryptions of 
sAa, sAb, sBa, and sBb; these encryptions are received by Pt- The other conditions 
of Definition 15 are easy to check, so P is tagged. 

Proposition 3 below applies to P, and also to the process without Pt, because the 
addition of Pt in fact does not change the clauses. (The only clause generated from 
Pt is a tautology, immediately removed by elimtaut.) 

We prove the following termination result in Appendix D: 

Proposition 3 For sel = sel , the algorithm terminates on tagged protocols for queries 
of the form a ~» false when a is closed and all facts in T aot are closed. 

The proof first considers the particular case in which pk and host have a single argu- 
ment in the execution of Condition C5, and then generalizes by mapping all arguments 
of pk and host (which are atomic constants by Condition C7) to a single constant. The 
proof of the particular case proceeds in two steps. The first step shows that the clauses 
generated from a tagged protocol satisfy the conditions of [20]. Basically, these condi- 
tions require that the clauses for the protocol satisfy the following properties: 

Tl. The patterns in the clauses are tagged, that is, the first argument of all occur- 
rences of constructors except tuples, pk, and host is of the form {ct, M 1; . . . , 
M n ). The proof of this property relies on Conditions C3 and C4. 

T2. Let Si be the set of subterms of patterns that correspond to the terms that occur in 
the execution of Condition C5. Every clause has an instance in which all patterns 
are in Si. The proof of this property relies on Condition C5. 
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T3. Each non-variable, non-data tagged pattern has at most one instance in Si. (A 
pattern is said to be non-data when it is not of the form /(...) with / a data 
constructor, that is, here, a tuple.) This property comes from Condition C3 which 
guarantees that the tags at distinct occurrences are distinct and, for pk(p) and 
host(p), from the hypothesis that pk and host have a single argument in the 
execution of Condition C5. 

Note that the patterns in the clauses (Rf) and (Rg) that come from constructors and 
destructors are not tagged, so we need to handle them specially; Conditions CI and C6 
are useful for that. 

The second step of the proof uses the result of [20] in order to conclude termination. 
Basically, this result shows that Properties Tl and T2 are preserved by resolution. The 
proof of this result relies on the fact that, if two non-variable non-data tagged patterns 
unify and have instances in Si, then their instances in Si are equal (by T3). So, when 
unifying two such patterns, their unification still has an instance in Si . Furthermore, 
we show that the size of the instance in Si of a clause obtained by resolution is not 
greater than the size of the instance in Si of one of the initial clauses. Hence, we can 
bound the size of the instance in Si of generated clauses, which shows that only finitely 
many clauses are generated. 

The hypothesis that all facts in T not are closed is not really a restriction, since we 
can always remove facts from JT not without changing the result. (It may just slow down 
the resolution.) The restriction to queries a ~» false allows us to remove m-event facts 
from clauses (by Remark 3). For more general queries, m-event facts may occur in 
clauses, and one can find examples on which the algorithm does not terminate. Here is 
such an example: 

Ps = c[(y); let z = sencrypt((ct ,y), k SB ) in 

c , 2 {sencrypt({ct 2 , s encrypt ((cti, z), ksA)), fess)); event(/i((ci 3 , y))); c' 3 {z) 
P B = c' 2 (z'); c' 3 (z); let (= ct ,y) = sdecrypt(z, fc S s) in- 
let (= ct 2 ,y') = sdecrypt(z',ksB) in event(/i((ci 4 , y, y'))); d 4 (y') 

Po = (vk SB );(A{C ) I \Ps | \P B \c' i {y')) 

This example has been built on purpose for exhibiting non-termination, since we did 
not meet such non-termination cases in our experiments with real protocols. One can 
interpret this example as follows. The participant A shares a key k$A with a server 
S. Similarly, B shares a key ksB with S. The code of S is represented by Ps, the 
code of B by Pb, and A is assumed to be dishonest, so it is represented by the adver- 
sary. The process Ps builds two tickets sencrypt((cto,y),ks B ) and sencrypt((ct 2 , 
sencrypt((cti, sencrypt((cto,y), ksB)), ksA)), ksB)- The first ticket is for B, the 
second ticket should first be decrypted by B, then sent to A, which is going to decrypt 
it again and sent it back to B. In the example, Pb just decrypts the two tickets and 
forwards the second one to A. It is easy to check that this process is a tagged protocol. 
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This process generates the following clauses: 

attacker(y) => 

attackei(sencrypt((ct 2 , sencrypt((cti, sencrypt((ct , y), fcss)), k S A)), fcss)) 

(19) 

attacker(y) A m-event(/i((c<3, y))) =4- attacker(sencrypt((cio, y), fcss)) (20) 
attacker(sencrypt((c£ , y), fcss)) A attacker(sencrypi((ct2, y')j &sb)) 

A m-event(/i((c<4, y, y'))) => attacker(y') 
attacker(Co) (22) 

The first two clauses come from P s , the third one from P B , and the last one from 
the output in Pq. Obviously, clauses (Init) (in particular attacker (Aisa) since ksA € 
fn(Po)), (Rf) for sencrypt and h, and (Rg) for sdecrypt are also generated. Assuming 
the first hypothesis is selected in (21), the solving algorithm performs a resolution step 
between (20) and (21), which yields: 

attacker(y) A attacker (sencrypt ((ct2, y'), fcss)) A 

m-event (/i((c£ 3, y))) A m-event(/i((ci4, y, y'))) => attacker(y') 

The second hypothesis is selected in this clause. By resolving with (19), we obtain 

attacker(y) A attacker(y') A m-event(h((ct 3 , y))) A 

m-event(/i((ci 4 ,y, s encrypt ((cti, sencrypt((ct ,y'), fcss)), ^sa)))) 
=> attacker (s encrypt ((cti, sencrypt((ct , y'), Icsb)), ksA)) 

By applying (Rg) for sdecrypt and resolving with attacker(cii) and attacker^s^), 
we obtain: 

attacker(y) A attacker(y') A m-event(h((ct 3 , y))) A 

m-event (h( {ct 4 ,y, sencrypt ((ct 1 , sencrypt {{ct ,y'),k SB )),k SA )))) 
=> attacker(sencrypt((ct , y'), ksB)) 

This clause is similar to (20), so we can repeat this resolution process, resolving with 
(21), (19), and decrypting the conclusion. Hence we obtain 

n 

y\ attacker(yj) A m-event(/i((ci3, yi))) A 

3 =1 n-1 

y\ m-event(/i((ci 4 , Vj, sencrypt((cti, sencrypt((ct , yj+i), fcss)), k S A)))) 
attacker(sencrypt((cto, y n ), fcss)) 

for all n > 0, so the algorithm does not terminate. 

As noticed in [20], termination could be obtained in the presence of m-event facts 
with an additional simplification: 
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Elimination of useless m-event facts: elim-m- event eliminates m-event 
facts in which a variable x occurs, and x only occurs in m-event facts and 
in attacker(x) hypotheses. 

This simplification is always sound, because it creates a stronger clause. It does not 
lead to a loss of precision when all variables of events after ~* also occur in the event 
before (This happens in particular for non-injective agreement.) Indeed, assume 
that m-event (p) contains a variable which does not occur in the conclusion. This is 
preserved by resolution, so when we obtain a clause m-event(p') A H => event(p"), 
where m-event (p') comes from m-event(p), p' contains a variable that does not occur 
in p", so this occurrence of m-event (p') cannot be used to prove the desired correspon- 
dence. However, in the general case, this simplification leads to a loss of precision. (It 
may miss some m-event facts.) That is why this optimization was present in early im- 
plementations which verified only authentication, and was later abandoned. We could 
reintroduce it when all variables of events after also occur in the event before if 
we had termination problems coming from m-cvcnt facts for practical examples. No 
such problems have occurred up to now. 

8.2 Choice of the Selection Function 

Unfortunately, not all protocols are tagged. In particular, protocols using a Diffie- 
Hellman key agreement (see Section 9.1) are not tagged in the sense of Definition 15. 
The algorithm still terminates for some of them (Skeme [52] for secrecy, SSH) with 
the previous selection function sel . However, it does not terminate with the selec- 
tion function sel for some other examples (Skeme [52] for one authentication prop- 
erty, the Needham-Schroeder shared-key protocol [60], some versions of the Woo-Lam 
shared-key protocol [70] and [5, Example 6.2].) In this section, we present heuristics 
to improve the choice of the selection function, in order to avoid most simple non- 
termination cases. As reported in more detail in Section 10, these heuristics provide 
termination for Skeme [52] and the Needham-Schroeder shared-key protocol [60]. 

Let us determine which constraints the selection function should satisfy to avoid 
loops in the algorithm. First, assume that there is a clause H A F =>■ aF, where a is a 
substitution such that all a n F are distinct for n e N. 

• Assume that F is selected in this clause, and there is a clause H' F', where 
F' unifies with F, and the conclusion is selected in H' => F'. Let a' be the most 
general unifier of F and F'. So the algorithm generates: 



assuming that the conclusion is selected in all these clauses, and that no clause is 
removed because it is subsumed by another clause. So the algorithm would not 
terminate. Therefore, in order to avoid this situation, we should avoid selecting 
F in the clause H A F aF. 



n-1 
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• Assume that the conclusion is selected in the clause H A F => aF, and there is 
a clause H' A a'F C (up to renaming of variables), where a' commutes with 
a (in particular, when a and a' have disjoint supports), and that a'F is selected 
in this clause. So the algorithm generates: 

n-l 

a'H A aH' A cr'F =>- aC ... f\ a'a l H A a n H' A a'F => a n C 

assuming that a'F is selected in all these clauses, and that no clause is removed 
because it is subsumed by another clause. So the algorithm would not terminate. 
Therefore, in order to avoid this situation, if the conclusion is selected in the 
clause H A F => aF, we should avoid selecting facts of the form a'F, where a' 
and a have disjoint supports, in other clauses. 

In particular, since there are clauses of the form attackcr(:ri) A ... A attacker(a;„) =>• 
attacker(/(a;i, . . . , x n )), by the first remark, the facts attacker^) should not be se- 
lected in this clause. So the conclusion will be selected in this clause and, by the second 
remark, facts of the form attacker(a;) with x variable should not be selected in other 
clauses. We find again the constraint used in the definition of sel . 

We also have the following similar remarks after swapping conclusion and hypoth- 
esis. Assume that there is a clause H A aF => F, where a is a substitution such that 
all a n F are distinct for n G N. We should avoid selecting the conclusion in this clause 
and, if we select aF in this clause, we should avoid selecting conclusions of the form 
a'F, where a' and a have disjoint supports, in other clauses. 

We define a selection function that takes into account all these remarks. For a clause 
H => C, we define the weight tOhyp(-F) of a fact F G H by: 



Why V {F) 



-oo if F is an unselectable fact 

-2 if 3a, aF = C 

— 1 otherwise, if F G Shyp 

otherwise. 



The set Sh yp is defined as follows: at the beginning, Sh yp = 0; if we generate a clause 
H A F => aF where a is a substitution that maps variables of F to terms that are not 
all variables and, in this clause, we select the conclusion, then we add to Shyp all facts 
a'F with a and a' of disjoint support (and renamings of these facts). For simplicity, we 
have replaced the condition "all a n F are distinct for n G N" with "er maps variables 
of F to terms that are not all variables". (The former implies the latter but the converse 
is wrong.) Our aim is only to obtain good heuristics, since there exists no perfect 
selection function that would provide termination in all cases. The set Shyp can easily 
be represented finitely: just store the facts F with, for each variable, a flag indicating 
whether this variable can be substituted by any term by a', or only by a variable. 
Similarly, we define the weight of the conclusion: 



^concl < 



-2 if 3a, 3F G H , aC = F 
— 1 otherwise, if C E S conc \ 
otherwise. 
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The set S conc \ is defined as follows: at the beginning, Sconci = 0; if we generate a 
clause H A oF =>■ F where a is a substitution that maps variables of F to terms that 
are not all variables and, in this clause, we select aF, then we add to S^onci all facts 
a'F with a and a' of disjoint support (and renamings of these facts). 
Finally, we define 



Therefore, we avoid unifying facts of smallest weight when that is possible. The se- 
lected fact F can be any element of H of maximum weight. In the implementation, 
the hypotheses are represented by a list, and the selected fact is the first element of the 
list of hypotheses of maximum weight. 

We can also notice that the bigger the fact is, the stronger are constraints to unify 
it with another fact. So selecting a bigger fact should reduce the possible unifications. 
Therefore, we consider sel 2 , defined as sell except that Wh yp (F) = size(F) instead of 
in the last case. 

When selecting a fact that has a negative weight, we are in one of the cases when 
termination will probably not be achieved. We therefore emit a warning in this case, so 
that the user can stop the program. 



In this section, we briefly sketch a few extensions to the framework presented previ- 
ously. The extensions of Sections 9.1, 9.2, and 9.3 were presented in [18] for the proof 
of process equivalences. We sketch here how to adapt them to the proof of correspon- 
dences. 

9.1 Equational Theories and Diffie-Hellman Key Agreements 

Up to now, we have defined cryptographic primitives by associating rewrite rules to 
destructors. Another way of defining primitives is by equational theories, as in the 
applied pi calculus [4]. This allows us to model, for instance, variants of encryption for 
which the failure of decryption cannot be detected or more complex primitives such as 
Diffie-Hellman key agreements. The Diffie-Hellman key agreement [38] enables two 
principals to build a shared secret. It is used as an elementary step in more complex 
protocols, such as Skeme [52], SSH, SSL, and IPsec. 

As shown in [18], our verifier can be extended to handle some equational theories. 
Basically, one shows that each trace in a model with an equational theory corresponds 
to a trace in a model in which function symbols are equipped with additional rewrite 
rules, and conversely. (We could adapt [18, Lemma 1] to show that this result also 
applies to correspondences.) Therefore, we can show that a correspondence proved 
in the model with rewrite rules implies the same correspondence in the model with 
an equational theory. Moreover, we have implemented algorithms that compute the 
rewrite rules from an equational theory. 




if VF e H, w hyp (F) < w conch 

{F } where F 6 H of maximum weight, otherwise. 



9 Extensions 
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In the experiments reported in this paper, we use equational theories only for the 
Diffie-Hellman key agreement, which can be modeled by using two functions / and /' 
that satisfy the equation 

f(y,f'(x)) = f(x,f'(y)). (23) 

In practice, the functions are f(x, y) = y x mod p and f'(x) = b x mod p, where 
p is prime and b is a generator of Z*. The equation f(y, f'(xj) = (b x ) y mod p = 
(b v ) x mod p = f(x, f'{y)) is satisfied. In our verifier, following the ideas used in 
the applied pi calculus [4], we do not consider the underlying number theory; we work 
abstractly with the equation (23). The Diffie-Hellman key agreement involves two 
principals A and B. A chooses a random name x , and sends f'(x ) to B. Similarly, 
B chooses a random name x\, and sends f{x\) to A. Then A computes f(xo, f'(xi)) 
and B computes f(x\,f'(xo)). Both values are equal by (23), and they are secret: 
assuming that the attacker cannot have x or x\, it can compute neither f(x , f'(x\)) 
nor f(x 1 ,f'(x )). 

In our verifier, the equation (23) is translated into the rewrite rules 

f(y, f'(x)) - f(x, f(yj) f(x, y) - f(x, y). 

Notice that this definition of / is non-deterministic: a term such as f(a, f'(b)) can 
be reduced to f(b, f'(a)) and /(a, f'(b)), so that f(a, f'(b)) reduces to its two forms 
modulo the equational theory. The fact that these rewrite rules model the equation (23) 
correctly follows from [18, Section 5]. 

When using this model, we have to adapt the verification of correspondences. In- 
deed, the conditions on the clauses must be checked modulo the equational theory. 
(Using the rewrite rules, we can implement unification modulo the equational the- 
ory, basically by rewriting the terms by the rewrite rules before performing syntactic 
unification.) For example, in the case of non-injective agreement, even if the pro- 
cess Pq satisfies non-injective agreement against Trwi-adversaries, it may happen that 
a clause m-event(e'(pi, . . . ,p n ){f(p2, f'(pi))/z}) => event(e(pi, . . . ,p n ){f{pi, 
f'(P2))/z}) is in solve p^/„it (event (e(xi, . . . ,x n ))). The specification is still satisfied 
in this case, because (pi, . . . ,p„){/(pi, f'(p 2 ))/z} = (pi, . . . ,p„){/(p 2) /'(Pi))M 
modulo the equational theory. So we have to test that, if H =>• event (e(pi, . . . ,p„)) is 
in solvep ( j ! /„ i t(event(e(xi, . . . , x n ) j), then there exist p[, . . . ,p' n equal to pi, . . . ,p n 
modulo the equational theory such that m-event(e'(p' 1 , . . . ,p' n )) G H. More gener- 
ally, the equality R = H A m-event(a'pji) A ... A m-event (cr'p.,^ ) => event (</pj-) in 
the hypothesis of Theorem 3 is checked modulo the equational theory (using matching 
modulo the equational theory to find a'). Point V2. 1 of the definition of verify and Hy- 
pothesis H2 of Theorem 5 are also checked modulo the equational theory. Furthermore, 
the following condition is added to Point V2.2 of the definition of verify: 

For all j, r, and k, we let q c = (Jj r qjk and p c = <Tj r pjk, and we 
require that, for all substitutions a and a', if ap c = a'p c and for all 
x e fv(q c ) \ fv(p c ), ax = a'x, then <rq c = <r'q c (where equalities are 
considered modulo the equational theory). 

This property is useful in the proof of Theorem 5 (see Appendix E). It always holds 
when the equational theory is empty, because <rp c = a'p c implies that for all x E 
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fv(p c ), ax = a'x, so for all x G fv(q c ), ax — a'x. However, it does not hold in 
general for any equational theory, so we need to check it explicitly when the equational 
theory is non-empty. In the implementation, this condition is checked as follows. Let 
9 be a renaming of variables of p c to fresh variables. We check that, for every a u most 
general unifier of p c and 8p c modulo the equational theory, a u q c = a u 9q c modulo 
the equational theory. When this check succeeds, we can prove the condition above as 
follows. Let Co be defined by, for all x G fv(q c ), a$x = ax and, for all x G fv(9p c ), 
a x = a'9~ 1 x. If ap c = a'p c , then aop c = &Pc = c'pc = 0o#p c , so 00 unifies p c and 
9p c , hence there exist a\ and a most general unifier a u of p c and 9p c such that <r = 
<7i<7„. We have a u q c = a u 9q c , so aq c = a Q q c = a x a u q c = a x a u 8q c = a 9q c = a'q c . 

This treatment of equations has the advantage that resolution can still use syntactic 
unification, so it remains efficient. However, it also has limitations; for example, it 
cannot handle associative functions, such as XOR, because it would generate an in- 
finite number of rewrite rules for the destructors. We refer to [28,31] for treatments 
of XOR and to [27,48,56,58] for treatments of Diffie-Hellman key agreements with 
more detailed algebraic relations. The NRL protocol analyzer handles a limited version 
of associativity for strings of bounded length [43], which we could handle. 

9.2 Precise Treatment of else Branches 

In the generation of clauses described in Section 5.2, we consider that the else branch 
of destructor applications may always be executed. Our implementation takes into 
account these else branches more precisely. In order to do that, it uses a set of special 
variables GVar and a predicate nounif, also used in [18], such that, for all closed 
patterns p and p', nounif (p,p') holds if and only if there is no closed substitution a 
with domain GVar such that ap = ap' . The fact nounif (p,p') means thatp ^ p' for 
all values of the special variables in G Var. 

One can then check the failure of an equality test M — M' by 
nounif (p(M), p{M')) and the failure of a destructor application g{M 1 ,...,M n ) 
b y A 5 ( Pl ,...,p n )^pedef( 9 ) nounif ((p(Mi), . . .,p(M n )), GVar{p u . . . ,p n )), where 
GVar(p) is the pattern p after renaming all its variables to elements of GVar and 
p is the environment that maps variables to their corresponding patterns. Intuitively, 
the rewrite rule g{p\, . . . ,p n ) — > p can be applied if and only if (p(Mi), . . . , p(M„)) 
is an instance of (pi , . . . , p n ) . So the rewrite rule g (pi , . . . , p„ ) — > p cannot be applied 
if and only if nounif ((p(Mi), . . . ,p(M„)), GVar(px, . . . ,p n )). 

The predicate nounif is handled by specific simplification steps in the solver, de- 
scribed and proved correct in [18]. 

9.3 Scenarios with Several Stages 

Some protocols can be broken into several parts, or stages, numbered 0, 1 , . . . , such that 
when the protocol starts, stage is executed; at some point in time, stage stops and 
stage 1 starts; later, stage 1 stops and stage 2 starts, and so on. Therefore, stages allow 
us to model a global clock. Our verifier can be extended to such scenarios with several 
stages, as summarized in [18]. We add a construct t : P to the syntax of processes, 
which means that process P runs only in stage t, where t is an integer. 
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The generation of clauses can easily be extended to processes with stages. We 
use predicates attacked and message t for each stage t, generate the clauses for the 
attacker for each stage, and the clauses for the protocol with predicates attacked and 
message t for each process that runs in stage t. Furthermore, we add clauses 

attacked (x) attacker t+ i(x) (Rt) 

in order to transmit attacker knowledge from each stage t to the next stage t + 1. 

Scenarios with several stages allow us to model properties related to the compro- 
mise of keys. For example, we can model forward secrecy properties as follows. Con- 
sider a public -key protocol P (without stage prefix) and the process P' = : P | 1 : 
c(sk^);c(skB), which runs P in stage and later outputs the secret keys of A and B 
on the public channel c in stage 1. If we prove that P' preserves the secrecy of the 
session keys of P, then the attacker cannot obtain these session keys even if it later 
compromises the private keys of A and B, which is forward secrecy. 

9.4 Compromise of Session Keys 

We consider the situation in which the attacker compromises some session keys of the 
protocol. Our goal is then to show that the other session keys of the protocol are still 
safe. For example, this property does not hold for the Needham-Schroeder shared-key 
protocol [60]: in this protocol, when an attacker manages to get some session keys, 
then it can also get the secrets of other sessions. 

If we assume that the compromised sessions are all run before the standard sessions 
(to model that the adversary needs time to break the session keys before being able to 
use the obtained information against standard sessions), then this can be modeled as 
a scenario with two stages: in stage 0, the process runs a modified version of the 
protocol that outputs its session keys; in stage 1, the standard sessions runs; we prove 
the security of the sessions of stage 1 . 

However, we can also consider a stronger model, in which the compromised ses- 
sions may run in parallel with the non-compromised ones. In this case, we have a single 
stage. 

Let Jo be the process representing the whole protocol. We consider that the part of 
P not under replications corresponds to the creation of long-term secrets, and the part 
of P under at least one replication corresponds to the sessions. We say that the names 
generated under at least one replication in Pq are session names. We add one argument 
i c to the function symbols a[. . .] that encode session names in the instrumented process 
Pq, this additional argument is named compromise identifier and can take two values, 
so or si . We consider that, during the execution of the protocol, each replicated subpro- 
cess IQx of Po generates two sets of copies of Qx, one with compromise identifier s , 
one with s\. The attacker compromises sessions that involve only copies of processes 
Qx with the compromise identifier sq. It does not compromise sessions that involve at 
least one copy of some process Qx with compromise identifier s\. 

The clauses for the process P are generated as in Section 5.2 (except for the addi- 
tion of a variable compromise identifier as argument of session names). The following 
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clauses are added: 

For each constructor /, comp(xi) A ... A comp(xfc) => comp(/(xi, . . . , Xk)) 
For each (va : a[. . .]) under n replications and k inputs and non-deterministic 
destructor applications in Pq, 

comp(xi) A ... A comp(xfc) =^> comp(a[si, . . . ,Xk\) if n = 

comp(xi) A ... A comp(xfc) => comp(a[xi, . . . , Xk,h, ■■■,!», So]) if n > 
comp(xi) A ... A comp(xfc) =4> attacker (a [xi, . . . , Xk, h, ■ ■ ■ , i n , s o]) if n > 

The predicate comp is such that comp(p) is true when all session names in p have 
compromise identifier sq. These clauses express that the attacker has the session names 
that contain only the compromise identifier s . 

In order to prove the secrecy of a session name s, we query the fact attacker(s[xi, 
. . . , Xk, ii, ■ ■ ■ , i n , S\\). If this fact is underivable, then the protocol does not have 
the weakness of the Needham-Schroeder shared-key protocol mentioned above: the 
attacker cannot have the secret s of a session that it has not compromised. In con- 
trast, attacker(s[xi, . . . , Xk, h, ■ ■ ■ , in, so]) is always derivable, since the attacker has 
compromised the sessions with identifier so- 

We can also prove correspondences in the presence of key compromise. We want 
to prove that the non-compromised sessions are secure, so we prove that, if an event 
event(M) has been executed in a copy of some Qx with compromise identifier s\, 
then the required events event(M^r) have been executed in any process. (A copy of 
Qx with compromise identifier s\ may interact with a copy of Qy with compromise 
identifier so and, in this case, the events event (Mj^) may be executed in the copy of 
Qy with compromise identifier sq.) We obtain this result by adding the compromise 
identifier i c as argument of the predicates m-event and event in clauses, and corre- 
spondingly adding si as argument of event(M) and event(Mj), and a fresh variable 
as argument of the other events event [Mj^) in queries. We can then prove the cor- 
respondence in the same way as in the absence of key compromise. The treatment of 
correspondences attacker(M) ~* . . . and message(M, M') ... in which M and 
M' do not contain bound names remains unchanged. 

10 Experimental Results 

We have implemented our verifier in Ocaml and have performed tests on various pro- 
tocols of the literature. The tests reported here concern secrecy and authentication 
properties for simple examples of protocols. More complex examples have been stud- 
ied, using our technique for proving correspondences. We do not detail them in this 
paper, because they have been the subject of specific papers [2, 3, 19]. 

Our results are summarized in Figure 6, with references to the papers that describe 
the protocols and the attacks. In these tests, the protocols are fully modeled, includ- 
ing interaction with the server for all versions of the Needham-Schroeder, Woo-Lam 
shared key, Denning-Sacco, Otway-Rees, and Yahalom protocols. The first column in- 
dicates the name of the protocol; we use the following abbreviations: NS for Needham- 
Schroeder, PK for public -key, SK for shared-key, corr. for corrected, tag. for tagged, 
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unid. for unidirectional, and bid. for bidirectional. We have tested the Needham- 
Schroeder shared key protocol with the modeling of key compromise mentioned in 
Section 9.4, in which the compromised sessions can be executed in parallel with the 
non-compromised ones (version marked "comp." in Figure 6). The second column 
indicates the number of Horn clauses that represent the protocol. The third column 
indicates the total number of resolution steps performed for analyzing the protocol. 

The fourth column gives the execution time of our analyzer, in ms, on a Pentium M 
1 .8 GHz. Several secrecy and agreement specifications are checked for each protocol. 
The time given is the total time needed to check all specifications. The following 
factors influence the speed of the system: 

• We use secrecy assumptions to speed up the search. These assumptions say that 
the secret keys of the principals, and the random values of the Diffie-Hellman 
key agreement in the Skeme protocol, remain secret. On average, the verifier is 
two times slower without secrecy assumptions, in our tests. 

• We mentioned several selection functions, and the speed of the system can vary 
substantially depending on the selection function. In the tests of Figure 6, we 
used the selection function sel 2 . With sell, the system is two times slower on 
average on Needham-Schroeder shared-key, Otway-Rees, the variant of [63] 
of Otway-Rees, and Skeme but faster on the bidirectional simplified Yahalom 
(59 ms instead of 91 ms). The speed is almost unchanged for our other tests. On 
average, the verifier is 1.8 times slower with sell than with seb, in our tests. 

The selection function selo gives approximately the same speed as sell, except 
for Skeme, for which the analysis does not terminate with selo- (We comment 
further on termination below.) 

• The tests of Figure 6 have been performed without elimination of redundant hy- 
potheses. With elimination of redundant hypotheses that contain m-event facts, 
we obtain approximately the same speed. With elimination of all redundant hy- 
potheses, the verifier is 1.3 times slower on average in these tests, because of the 
time spent testing whether hypotheses are redundant. 

When our tool successfully proves that a protocol satisfies a certain specification, 
we are sure that this specification indeed holds, by our soundness theorems. When 
our tool does not manage to prove that a protocol satisfies a certain specification, it 
finds at least one clause and a derivation of this clause that contradicts the specifica- 
tion. The existence of such a clause does not prove that there is an attack: it may 
correspond to a false attack, due to the approximations introduced by the Horn clause 
model. However, using an extension of the technique of [6] to events, in most cases, 
our tool reconstructs a trace of the protocol, and thus proves that there is actually an 
attack against the considered specification. In the tests of Figure 6, this reconstruction 
succeeds in all cases for secrecy and non-injective correspondences, in the absence of 
key compromise. The trace reconstruction is not implemented yet in the presence of 
key compromise (Section 9.4) or for injective correspondences. (It presents additional 
difficulties in the latter case, since the trace should execute some event twice and others 
once in order to contradict injectivity, while the derivation corresponds to the execution 
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Figure 6: Experimental results 



of events once, with badly related session identifiers.) In the cases in which trace re- 
construction is not implemented, we have checked manually that the protocol is indeed 
subject to an attack, so our tool found no false attack in the tests of Figure 6: for all 
specifications that hold, it has proved them. 

The last four columns give the results of the analysis. The column "Se- 
crecy" concerns secrecy properties, the column A concerns agreement specifica- 
tions event (e(xi, . . . , x n )) ~* [inj] event(e'(xi, . . . , x n )) in which A executes the 
event event(e(Mi, . . . ,M n )), the column B agreement specifications event (e(xi, 
. . . , x n j) ~» [inj] event(e'(xi, . . . , x n )) in which B executes the event event(e(Mi, 
. . . , M n )). The last column gives the reference of the attacks when attacks are found. 
The first six protocols of Figure 6 (Needham-Schroeder public key and Woo-Lam one- 
way authentication protocols) are authentication protocols. For them, we have tested 
non-injective and recent injective agreement on the name of the participants, and non- 
injective and injective full agreement (agreement on all atomic data). For the Needham- 
Schroeder public key protocol, we have also tested the secrecy of nonces. "Nonces B" 
means that the nonces N a and Nb manipulated by B may not be secret, "None" means 
all tested specifications are satisfied (there is no attack), "All" that our tool finds an 
attack against all tested specifications. The Woo and Lam protocols are one-way au- 
thentication protocols: they are intended to authenticate A to B, but not B to A, so we 
have only tested them with B containing e vent (e (Mi, . . . , M n )). 

Numerous versions of the Woo and Lam shared-key protocol have been published 
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in the literature [70], [8], [5, end of Example 3.2], [5, Example 6.2], [72], [46] (flawed 
and corrected versions). Our tool terminates and proves the correctness of the corrected 
versions of [8] and of [46]; it terminates and finds an attack on the flawed version 
of [46]. (The messages received or sent by A do not depend on the host A wants to 
talk to, so A may start a session with the adversary C, and the adversary can reuse the 
messages of this session to talk to B in ^4's name.) We can easily see that the versions 
of [70] and [5, Example 6.2] are also subject to this attack, even if our tool does not 
terminate on them. The only difference between the protocol of [46] and that of [70] is 
that [46] adds tags to distinguish different encryption sites. As shown in Section 8.1, 
adding tags enforces termination. Our tool finds the attack of [29, bottom of page 52] 
on the versions of [5, end of Example 3.2] and [72]. For example, the version of [72] 
is 



Message 1. 


A - 


-» B: 


A 


Message 2. 


B - 


-> A: 


N B 


Message 3. 


A - 


-> B: 


{A,B,N b } Kas 


Message 4. 


B - 


-> 5": 


{A,B,{A,B,N b }k as }k bs 


Message 5. 


S- 


* B: 


{A,B,N b } Kbs 



and the attack is 



Message 1. 


1(A) 


-» B: 


A 


Message 2. 


B -> 


1(A): 


N B 


Message 3. 


1(A) 


-» B: 


N b 


Message 4. 


B -> 


1(A): 


{A,B,N b }k bs 


Message 5. 


1(A) 


-» B: 


{A,B,N b }k bs 



In message 3, the adversary sends Nb instead of {A, B, Nb}k as - B cannot see the 
difference and, acting as defined in the protocol, B unfortunately sends exactly the 
message needed by the adversary as message 5. So B thinks he talks to A, while A and 
S can perfectly be dead. The attack found against the version of [5, end of Example 
3.2] is very similar. 

The last five protocols exchange a session key, so we have tested agreement on 
the names of the participants, and agreement on both the participants and the session 
key (instead of full agreement, since agreement on the session key is more important 
than agreement on other values). In Figure 6, "Key B" means that the key obtained by 
B may not be secret, "Key" means that agreement on the session key is wrong, "Inj" 
means that injective agreement is wrong, "All" and "None" are as before. 

In the Needham-Schroeder shared key protocol [60], the last messages are 

Message 4. B -> A: {N b }k 
Message 5. A -> B: {N B - 1}k 

where Nb is a nonce. Representing Nb — 1 with a function minusone(a:) = x — 1, with 
associated destructor plusone defined by plusone(minusone(a;)) — > x, the algorithm 
does not terminate with the selection function selo- The selection functions sell or sel2 
given in Section 8.2 however yield termination. We can also notice that the purpose of 
the subtraction is to distinguish the reply of A from B's message. As mentioned in [5], 
it would be clearer to have: 



60 



Message 4. B — > A: {Message 4 : Nb}k 
Message 5. A — *■ 5: {Message 5 : A^sj^ 

We have used this encoding in the tests shown in Figure 6. Our tool then terminates 
with selection functions sel , sell, and seb- [20] explains in more detail why these two 
messages encoded with minusone prevent termination with selo, and why the addition 
of tags "Message 4", "Message 5" yields termination. Adding the tags may strengthen 
the protocol (for instance, in the Needham-Schroeder shared key protocol, it prevents 
replaying Message 5 as a Message 4), so the security of the tagged version does not 
imply the security of the original version. As mentioned in [5], using the tagged ver- 
sion is a better design choice because it prevents confusing different messages, so this 
version should be implemented. Our tool also does not terminate on Skeme with selec- 
tion function selo, for an authentication query, but terminates with selection functions 
sell or seb- All other examples of Figure 6 terminate with the three selection functions 
selo, sell, and se^. 

Among the examples of Figure 6, only the Woo-Lam shared key protocol, flawed 
and corrected versions of [46] and the Needham-Schroeder shared key protocol have 
explicit tags. Our tool terminates on all other protocols, even if they are not tagged. The 
termination can partly be explained by the notion of "implicitly tagged" protocols [20] : 
the various messages are not distinguished by explicit tags, but by other properties 
of their structure, such as the arity of the tuples that they contain. In Figure 6, the 
Denning-Sacco protocol and the Woo-Lam public key protocol are implicitly tagged. 
Still, the tool terminates on many examples that are not even implicitly tagged. 

For the Yahalom protocol, we show that, if B thinks that A; is a key to talk with 
A, then A also thinks that k is a key to talk with B. The converse is clearly wrong, 
because the session key is sent from A to B in the last message, so the adversary can 
intercept this message, so that A has the key but not B. 

For the Otway-Rees protocol, we do not have agreement on the session key, since 
the adversary can intercept messages in such a way that one participant has the key and 
the other one has no key. There is also an attack in which both participants get a key, 
but not the same one [44]. The latter attack is not found by our tool, since it stops with 
the former attacks. 

For the simplified version of the Otway-Rees protocol given in [5], B can ex- 
ecute its event event(e(A#i, . . . , M n )) with A dead, and A can execute its event 
event (e(Mi, . . . , M n )) with B dead. As Burrows, Abadi, and Needham already noted 
in [26], even the original protocol does not guarantee to B that A is alive (attack against 
injective agreement that we also find). [46] said that the protocol satisfied its authenti- 
cation specifications, because they showed that neither A nor B can conclude that k is 
a key for talking between A and B without the server first saying so. (Of course, this 
property is also important, and could also be checked with our verifier.) 

11 Conclusion 

We have extended previous work on the verification of security protocols by logic pro- 
gramming techniques, from secrecy to a very general class of correspondences, includ- 
ing not only authentication but also, for instance, correspondences that express that the 



61 



messages of the protocol have been sent and received in the expected order. This tech- 
nique enables us to check correspondences in a fully automatic way, without bounding 
the number of sessions of the protocols. This technique also yields an efficient verifier, 
as the experimental results demonstrate. 

Acknowledgments 

We would like to thank Martin Abadi, Jerome Feret, Cedric Fournet, and Andrew Gor- 
don for helpful discussions on this paper. This work was partly done at Max-Planck- 
Institut fiir Informatik, Saarbriicken, Germany. 

References 

[1] M. Abadi and B. Blanchet. Analyzing security protocols with secrecy types and 
logic programs. Journal of the ACM, 52(1): 102-146, Jan. 2005. 

[2] M. Abadi and B. Blanchet. Computer-assisted verification of a protocol for certi- 
fied email. Science of Computer Programming, 58(l-2):3-27 , Oct. 2005. Special 
issue SAS'03. 

[3] M. Abadi, B. Blanchet, and C. Fournet. Just fast keying in the pi calculus. 
ACM Transactions on Information and System Security (TISSEC), 10(3): 1-59, 
July 2007. 

[4] M. Abadi and C. Fournet. Mobile values, new names, and secure communi- 
cation. In 28th Annual ACM SIGPLAN-SIGACT Symposium on Principles of 
Programming Languages (POPL'01 ), pages 104-1 15, London, United Kingdom, 
Jan. 2001. ACM Press. 

[5] M. Abadi and R. Needham. Prudent engineering practice for cryptographic pro- 
tocols. IEEE Transactions on Software Engineering, 22(1):6-15, Jan. 1996. 

[6] X. Allamigeon and B. Blanchet. Reconstruction of attacks against cryptographic 
protocols. In 1 8th IEEE Computer Security Foundations Workshop (CSFW-18), 
pages 140-154, Aix-en-Provence, France, June 2005. IEEE. 

[7] R. Amadio and S. Prasad. The game of the name in cryptographic tables. In P. S. 
Thiagarajan and R. Yap, editors, Advances in Computing Science - ASIAN'99, 
volume 1742 of Lecture Notes on Computer Science, pages 15-27, Phuket, Thai- 
land, Dec. 1999. Springer. 

[8] R. Anderson and R. Needham. Programming Satan's computer. In J. van Leeu- 
ven, editor, Computer Science Today: Recent Trends and Developments, volume 
1000 of Lecture Notes on Computer Science, pages 426^-40. Springer, 1995. 

[9] L. Bachmair and H. Ganzinger. Resolution theorem proving. In A. Robinson and 
A. Voronkov, editors, Handbook of Automated Reasoning, volume 1, chapter 2, 
pages 19-100. North Holland, 2001. 



62 



[10] M. Backes, A. Cortesi, and M. Maffei. Causality-based abstraction of multiplicity 
in security protocols. In 20th IEEE Computer Security Foundations Symposium 
(CSF'07), pages 355-369, Venice, Italy, July 2007. IEEE. 

[11] M. Bellare and P. Rogaway. Entity authentication and key distribution. In D. R. 
Stinson, editor, Advances in Cryptology - CRYPTO 1993, volume 773 of Lec- 
ture Notes on Computer Science, pages 232-249, Santa Barbara, California, Aug. 
1993. Springer. 

[12] K. Bhargavan, C. Fournet, A. D. Gordon, and R. Pucella. TulaFale: A secu- 
rity tool for web services. In Formal Methods for Components and Objects 
(FMCO 2003), volume 3188 of Lecture Notes on Computer Science, pages 197- 
222, Leiden, The Netherlands, Nov. 2003. Springer. Paper and tool available at 

http://securing.ws/. 

[13] B. Blanchet. An efficient cryptographic protocol verifier based on Prolog rules. In 
14th IEEE Computer Security Foundations Workshop (CSFW-14), pages 82-96, 
Cape Breton, Nova Scotia, Canada, June 2001. IEEE Computer Society. 

[14] B. Blanchet. From secrecy to authenticity in security protocols. In 
M. Hermenegildo and G. Puebla, editors, 9th International Static Analysis Sym- 
posium (SAS'02), volume 2477 of Lecture Notes on Computer Science, pages 
342-359, Madrid, Spain, Sept. 2002. Springer. 

[15] B. Blanchet. Automatic proof of strong secrecy for security protocols. In IEEE 
Symposium on Security and Privacy, pages 86-100, Oakland, California, May 
2004. 

[16] B. Blanchet. Automatic proof of strong secrecy for security protocols. 
Technical Report MPI-I-2004-NWG 1-001, Max-Planck-Institut fur Informatik, 
Saarbriicken, Germany, July 2004. 

[17] B. Blanchet. Security protocols: From linear to classical logic by abstract inter- 
pretation. Information Processing Letters, 95(5):473^79, Sept. 2005. 

[18] B. Blanchet, M. Abadi, and C. Fournet. Automated verification of selected equiv- 
alences for security protocols. Journal of Logic and Algebraic Programming, 
75(l):3-51,Feb.-Mar. 2008. 

[19] B. Blanchet and A. Chaudhuri. Automated formal analysis of a protocol for se- 
cure file sharing on untrusted storage. In IEEE Symposium on Security and Pri- 
vacy, Oakland, CA, May 2008. IEEE. To appear. 

[20] B. Blanchet and A. Podelski. Verification of cryptographic protocols: Tagging 
enforces termination. Theoretical Computer Science, 333(1 -2):67-90, Mar. 2005. 
Special issue FoSSaCS'03. 

[21] C. Bodei, M. Buchholtz, P. Degano, F. Nielson, and H. R. Nielson. Static valida- 
tion of security protocols. Journal of Computer Security, 13(3):347-390, 2005. 



63 



[22] P. Broadfoot, G. Lowe, and B. Roscoe. Automating data independence. In 6th Eu- 
ropean Symposium on Research in Computer Security (ESORICS 2000), volume 
1895 of Lecture Notes on Computer Science, pages 175-190, Toulouse, France, 
Oct. 2000. Springer. 

[23] P. J. Broadfoot and A. W. Roscoe. Embedding agents within the intruder to detect 
parallel attacks. Journal of Computer Security , 12(3/4):379-408, 2004. 

[24] M. Bugliesi, R. Focardi, and M. Maffei. Analysis of typed analyses of authenti- 
cation protocols. In Proc. 18th IEEE Computer Security Foundations Workshop 
(CSFW'05), pages 112-125, Aix-en-Provence, France, June 2005. IEEE Comp. 
Soc. Press. 

[25] M. Bugliesi, R. Focardi, and M. Maffei. Dynamic types for authentication. Jour- 
nal of Computer Security, 15(6):563-617, 2007. 

[26] M. Burrows, M. Abadi, and R. Needham. A logic of authentication. Proceedings 
of the Royal Society of London A, 426:233-271, 1989. A preliminary version 
appeared as Digital Equipment Corporation Systems Research Center report No. 
39, February 1989. 

[27] Y. Chevalier, R. Kiisters, M. Rusinowitch, and M. Turuani. Deciding the security 
of protocols with Diffie-Hellman exponentiation and products in exponents. In 
P. K. Pandya and J. Radhakrishnan, editors, FST TCS 2003: Foundations of Soft- 
ware Technology and Theoretical Computer Science, 23rd Conference, volume 
2914 of Lecture Notes on Computer Science, pages 124-135, Mumbai, India, 
Dec. 2003. Springer. 

[28] Y. Chevalier, R. Kiisters, M. Rusinowitch, and M. Turuani. An NP decision pro- 
cedure for protocol insecurity with XOR. Theoretical Computer Science, 338(1— 
3):247-274, June 2005. 

[29] J. Clark and J. Jacob. A survey of authentication protocol literature: Versionl.0. 
Technical report, University of York, Department of Computer Science, Nov. 
1997. 

[30] E. Cohen. First-order verification of cryptographic protocols. Journal of Com- 
puter Security, 1 1(2): 189-216, 2003. 

[31] H. Comon-Lundh and V. Shmatikov. Intruder deductions, constraint solving and 
insecurity decision in presence of exclusive or. In Symposium on Logic in Com- 
puter Science (LICS'03), pages 271-280, Ottawa, Canada, June 2003. IEEE Com- 
puter Society. 

[32] V. Cortier, J. Millen, and H. RueB. Proving secrecy is easy enough. In 14th 
IEEE Computer Security Foundations Workshop ( CSFW-14), pages 97-108, Cape 
Breton, Nova Scotia, Canada, June 2001. IEEE Computer Society. 

[33] C. J. F. Cremers. Scyther - Semantics and Verification of Security Protocols. Ph.D. 
dissertation, Eindhoven University of Technology, Nov. 2006. 



64 



[34] A. Datta, A. Derek, J. C. Mitchell, and D. Pavlovic. A derivation system and com- 
positional logic for security protocols. Journal of Computer Security, 13(3):423- 
482,2005. 

[35] H. de Nivelle. Ordering Refinements of Resolution. PhD thesis, Technische Uni- 
versiteit Delft, Oct. 1995. 

[36] M. Debbabi, M. Mejri, N. Tawbi, and I. Yahmadi. A new algorithm for the au- 
tomatic verification of authentication protocols: From specifications to flaws and 
attack scenarios. In DIMACS Workshop on Design and Formal Verification of 
Security Protocols, Rutgers University, New Jersey, Sept. 1997. 

[37] D. E. Denning and G. M. Sacco. Timestamps in key distribution protocols. Com- 
mun. ACM, 24(8):533-536, Aug. 1981. 

[38] W. Diffie and M. Hellman. New directions in cryptography. IEEE Transactions 
on Information Theory, IT-22(6): 644-654, Nov. 1976. 

[39] D. Dolev and A. C. Yao. On the security of public key protocols. IEEE Transac- 
tions on Information Theory, IT-29(12): 198-208, Mar. 1983. 

[40] A. Durante, R. Focardi, and R. Gorrieri. CVS at work: A report on new failures 
upon some cryptographic protocols. In V. Gorodetski, V. Skormin, and L. Popy- 
ack, editors, Mathematical Methods, Models and Architectures for Computer Net- 
works Security (MMM-ACNS'OI ), volume 2052 of Lecture Notes on Computer 
Science, pages 287-299, St. Petersburg, Russia, May 2001. Springer. 

[41] N. Durgin, P. Lincoln, J. C. Mitchell, and A. Scedrov. Multiset rewriting and 
the complexity of bounded security protocols. Journal of Computer Security, 
12(2):247-31 1,2004. 

[42] S. Escobar, C. Meadows, and J. Meseguer. A rewriting-based inference system for 
the NRL protocol analyzer and its meta-logical properties. Theoretical Computer 
Science, 367(l-2):162-202, 2006. 

[43] S. Escobar, C. Meadows, and J. Meseguer. Equational cryptographic reasoning 
in the Maude-NRL protocol analyzer. Electronic Notes in Theoretical Computer 
Science, 171(4):23-36, July 2007. 

[44] F. J. T. Fabrega, J. C. Herzog, and J. D. Guttman. Strand spaces: Proving security 
protocols correct. Journal of Computer Security, 7(2/3): 191-230, 1999. 

[45] A. Gordon and A. Jeffrey. Typing one-to-one and one-to-many correspondences 
in security protocols. In M. Okada, B. Pierce, A. Scedriv, H. Tokuda, and 
A. Yonezawa, editors, Software Security - Theories and Systems, Mext-NSF-JSPS 
International Symposium, ISSS 2002, volume 2609 of Lecture Notes on Computer 
Science, pages 263-282, Tokyo, Japan, Nov. 2002. Springer. 

[46] A. Gordon and A. Jeffrey. Authenticity by typing for security protocols. Journal 
of Computer Security, 1 1(4):451-521, 2003. 



65 



[47] A. Gordon and A. Jeffrey. Types and effects for asymmetric cryptographic proto- 
cols. Journal of Computer Security, 12(3/4):435-484, 2004. 

[48] J. Goubault-Larrecq, M. Roger, and K. N. Verma. Abstraction and resolution 
modulo AC: How to verify Diffie-Hellman-like protocols automatically. Journal 
of Logic and Algebraic Programming, 64(2):219-251, Aug. 2005. 

[49] J. D. Guttman and F. J. T. Fabrega. Authentication tests and the structure of 
bundles. Theoretical Computer Science, 283(2):333-380, 2002. 

[50] J. Heather, G. Lowe, and S. Schneider. How to prevent type flaw attacks on secu- 
rity protocols. In 13th IEEE Computer Security Foundations Workshop (CSFW- 
13), pages 255-268, Cambridge, England, July 2000. 

[51] J. Heather and S. Schneider. A decision procedure for the existence of a rank 
function. Journal of Computer Security, 13(2):3 17-344, 2005. 

[52] H. Krawczyk. SKEME: A versatile secure key exchange mechanism for internet. 
In Internet Society Symposium on Network and Distributed Systems Security, Feb. 

1996. Available at http : / /bilbo .isu.edu/sndss/sndss96. html. 

[53] G. Lowe. Breaking and fixing the Needham-Schroeder public -key protocol using 
FDR. In Tools and Algorithms for the Construction and Analysis of Systems, 
volume 1055 of Lecture Notes on Computer Science, pages 147-166. Springer, 
1996. 

[54] G. Lowe. A hierarchy of authentication specifications. In 10th Computer Security 
Foundations Workshop ( CSFW '97), pages 3 1-43, Rockport, Massachusetts, June 

1997. IEEE Computer Society. 

[55] C. Lynch. Oriented equational logic programming is complete. Journal of Sym- 
bolic Computation, 21(1):23^5, 1997. 

[56] C. Meadows and P. Narendran. A unification algorithm for the group Diffie- 
Hellman protocol. In Workshop on Issues in the Theory of Security (WITS '02), 
Portland, Oregon, Jan. 2002. 

[57] C. A. Meadows. The NRL protocol analyzer: An overview. Journal of Logic 
Programming, 26(2): 1 13-13 1 , 1996. 

[58] J. Millen and V. Shmatikov. Symbolic protocol analysis with an abelian group 
operator or Diffie-Hellman exponentiation. Journal of Computer Security, 
13(3):5 15-564, 2005. 

[59] J. C. Mitchell, M. Mitchell, and U. Stern. Automated analysis of cryptographic 
protocols using Murip. In 7997 IEEE Symposium on Security and Privacy, pages 
141-151,1997. 

[60] R. M. Needham and M. D. Schroeder. Using encryption for authentication in 
large networks of computers. Commun. ACM, 21(12):993-999, Dec. 1978. 



66 



[61] R. M. Needham and M. D. Schroeder. Authentication revisited. Operating Sys- 
tems Review, 21(1):7, 1987. 

[62] D. Otway and O. Rees. Efficient and timely mutual authentication. Operating 
Systems Review, 21(1):8-10, 1987. 

[63] L. C. Paulson. The inductive approach to verifying cryptographic protocols. Jour- 
nal of Computer Security, 6(l-2):85-128, 1998. 

[64] A. W. Roscoe and R J. Broadfoot. Proving security protocols with model checkers 
by data independence techniques. Journal of Computer Security, 7(2, 3): 147-190, 
1999. 

[65] M. Rusinowitch and M. Turuani. Protocol insecurity with finite number of ses- 
sions is NP-complete. Theoretical Computer Science, 299(l-3):45 1-475, Apr. 
2003. 

[66] D. X. Song, S. Berezin, and A. Perrig. Athena: a novel approach to efficient 
automatic security protocol analysis. Journal of Computer Security, 9(l/2):47- 
74,2001. 

[67] P. Syverson. A taxonomy of replay attacks. In 7th IEEE Computer Security 
Foundations Workshop (CSFW-94), pages 131-136, Franconia, New Hampshire, 
June 1994. IEEE Computer Society. 

[68] P. Syverson and C. Meadows. A formal language for cryptographic protocol 
requirements. Designs, Codes, and Cryptography, 7(l/2):27-59, 1996. 

[69] C. Weidenbach. Towards an automatic analysis of security protocols in first- 
order logic. In H. Ganzinger, editor, 16th International Conference on Automated 
Deduction (CADE-16), volume 1632 of Lecture Notes in Artificial Intelligence, 
pages 314-328, Trento, Italy, July 1999. Springer. 

[70] T. Y. C. Woo and S. S. Lam. Authentication for distributed systems. Computer, 
25(l):39-52,Jan. 1992. 

[71] T. Y. C. Woo and S. S. Lam. A semantic model for authentication protocols. In 
Proceedings IEEE Symposium on Research in Security and Privacy, pages 178— 
194, Oakland, California, May 1993. 

[72] T. Y. C. Woo and S. S. Lam. Authentication for distributed systems. In D. Denning 
and P. Denning, editors, Internet Besieged: Countering Cyberspace Scofftaws, 
pages 319-355. ACM Press and Addison- Wesley, Oct. 1997. 

Appendices 

A Instrumented Processes 

Let last(s) be the last element of the sequence of session identifiers s, or when 

s = 0. Let label(£) be defined by label(a[t, s}) = (a,last(s)) and label (ba[a[s]]) = 
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(a, last(s)). We define the multiset Label (P) as follows: Label((va : i)P) = 
{label(i))} U Label (P), Label(\ l P) = 0, and in all other cases, Label(P) is the 
union of the Label(P') for all immediate subprocesses P' of P. Let Label(E) = 
{label(E(a)) | a e dom(E)} and Label(S) — {(a, A) | A e 5, a any name function 
symbol}. 

Definition 16 An instrumented semantic configuration is a triple S, E, V such that S 
is a countable set of constant session identifiers, the environment E is a mapping from 
names to closed patterns, and V is a multiset of closed processes. The instrumented se- 
mantic configuration is S, E, V well-labeled when the multiset Label (S) U Label (E) U 
{J Pe -p Label (P) contains no duplicates. 

Lemma 5 Let Pq be a closed process and Pq = instr(P ). Let Q be an Init-adversary 
and Q' = instrAdv(Q). Let E such that /W(Pq) U Init C dom(E ) and, for all 
a G dom(E ), E (a) — a[]. The configuration S ,E ,{Pq,Q'} is a well-labeled 
instrumented semantic configuration. 

Proof We have Label(E ) = {(o,0) | a e dom(E )}, Label(P^) = {(a,0) | {va : 
a[. . .]) occurs in Pq not under a replication}, and Label(Q') = {(a, 0) | (va : bo[a[]]) 
occurs in Q' not under a replication}. These multisets contain no duplicates since the 
bound names of Pq and Q' are pairwise distinct and distinct from names in dom(Eo). 
So the multiset Label(So)U Label(E )l) Label(PQ)L) Label (Q') contains no duplicates. 

□ 



Lemma 6 If S, E,V is a well-labeled instrumented semantic configuration and 
S,E 7 V — > S',E',V' then S' ',E' ',V' is a well-labeled instrumented semantic con- 
figuration. 

Proof We proceed by cases on the reduction S,E,V -> S',E',V. The rule (Red 
Repl) removes the labels (a, A) for a certain A from Label(S) and adds some of them to 
Label (V). The rule (Red Res) removes a label from Label (V) and adds it to Label (E). 
Other rules can remove labels when they remove a subprocess, but they do not add 
labels. □ 

Lemma 7 Let S, E, V be an instrumented semantic configuration. Let a be a substitu- 
tion and a' be definedby a'x = E(ax) for all x. For all terms M, E(aM) = a'E(M) 
and, for all atoms a, E(aa) = a'E(a). 

Proof We prove the result for terms M by induction on M. 

• If M = x, E(ax) = a'x = a'E(x) by definition of a'. 

• If M = a, E(aa) = E(a) = <r'E(a), since E(a) is closed. 

• If M is a composite term M = /(Mi, . . . , M n ), E(aM) = f(E(aM 1 ), 
E{aM n )) = f(a'E(M 1 ), a'E(M n )) = a'E(M), by induction hypothesis. 

The extension to atoms is similar to the case of composite terms. □ 
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Lemma 8 If S,E,P is a well-labeled instrumented semantic configuration, M and 
M' are closed terms, and E(M) = E(M'), then M = M'. 



Proof The multiset Label (E) does not contain duplicates, hence different names in 
E have different associated patterns, therefore different terms have different associated 
patterns. □ 

Lemma 9 If S,E,P is a well-labeled instrumented semantic configuration, M' is a 
closed term, and E(M') — aE(M), then there exists a substitution a' such that M' = 
a'M and, for all variables x of M, E(a'x) — ax. We have a similar result for atoms 
and for tuples containing terms and atoms. 

Proof We prove the result for terms by induction on M. 

• If M = x, E(M') = aE(M) = ax. We define a' by a'x = M'. 

• If M is a name, E(M) is closed, so E(M') = aE(M) = E(M). By Lemma 8, 
M' = M = a'M for any substitution a'. 

• If M is a composite term M = /(Mi, . . . , M n ), E(M') = f{aE{M 1 ), 
aE(M n )). Therefore, M' = f(M[, . . . , M' n ) with E(M-) = aE(M t ) for all 
i G {1, . . . , n). By induction hypothesis, for alii G {1, . . . , n}, there exists 
a\ such that M[ = a\Mi and, for all variables x of Mj, E(a' i x) = ax. For 
all i,j, if x occurs in Mj and Mj, E(a' i x) = ax = E(a[ j x), so by Lemma 8, 
a[x = a'jX. Thus we can merge all substitutions a[ into a substitution a' defined 
by a'x = a[x when x occurs in Mj. So we have M' — a'M and, for all variables 
x of M, E(a'x) — ax. 

The extension to atoms and to tuples of terms and atoms is similar to the case of com- 
posite terms. □ 

Proof (of Lemma 1) Let Q be an Tmi-adversary and Q' = instrAdv(Q). Let E 
containing fn(P ) U Init U fn(a) U Uj/ n ( a i) u Uj kf n (Mjk). Consider a trace 
T = Eq, {Po, Q} —> E\,V\. Let a such that T satisfies aa. By Proposition 1, letting 
E' Q = {a ^ a[] | a G ^ }, there is a trace V = S ,E' Q , {P^, Q'} S', E[,P[, 
unInstr('P{) = Pi, and both traces satisfy the same atoms, so T' also satisfies a a. 
Since E' contains the names of a, ctj, and Mjh, and E[ is an extension of Eq, 
E[{a) - E' (a) = F, E[{ aj ) - E' (a,) = F 3 , and E[(M jk ) = E' (M jk ) = p jk . 
Let a" be defined by a" x = Ei(ax) for all x. By Lemma 7, E[(aa) = a"E[(a), so 
E[(aa) = a"F. Hence T satisfies a" F . Since Pq satisfies the given correspondence, 
there exist Cq and j G {1, . . . , m} such that a'^Fj = a" F and for all k G {1, ... , 
T' satisfies event (a'oPjk), so there exists M' k ' such that E[(M' k ') = a'^pjk and 
T satisfies event(M^'). Hence E[(M^) = a'^E'^M^) and E[(aa) = a" F = 
a'^F, = a'jE[( aj ), that is, E[((M[', M'^aa)) = a^E[(M ju . . . , M jtj , a,). 
By Lemma 9, there exists a such that (Mf, . . . , M".,aa) — a (Mji, . . . , Mji j , o.j). 
So aa = aoctj and for all ft G {1, . . . , lj}, T' satisfies event(cro-^jfe), so T also 
satisfies event(CToMj/ £ ). □ 
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message(E(M),E(N)) G EhP 

=- ; (Output) 

EhM(N).P 

VT' such that message^ (M), T') G T P , Init ,E[x nf]hP 

eVmWp "' (Input) 

(Nil) 
(Parallel) 

(Replication) 
(Restriction) 



£ h P | Q 

eWp 

E[a ' — * h P 



£h [va:i)P 

VT such that g{E{M 1 ), . . . , E{M n )) ^T,E[x^T]Y- P P h Q 

(Destructor application) 

eventOE(M)) G J>/ InU if m-event(£7(M)) G ^W, /njt then EhP 
^ £hevent(M).P (EvBnt) 



Figure 7: Type rules 



B Proof of Theorem 1 

The correctness proof uses a type system as a convenient way of expressing invariants 
of processes. This type system can be seen as a modified version of the type system 
of [1, Section 7], which was used to prove the correctness of our protocol verifier for 
secrecy properties. In this type system, the types are closed patterns: 

T ::= types 
a[7i,...,T n ,Ai,...,A fe ] name 
/(Ti, . . . ,T n ) constructor application 

The symbols Ai, . . . , A& are constant session identifiers, in a set So- Let Tp^j nit be 
the set of closed facts derivable from Hp^jnit U J~mc- 

The type rules are defined in Figure 7. The environment E is a function from 
names and variables in V to types and from variables in V s to constant session 
identifiers. The mapping E is extended to all terms as a substitution by E{f{M\, 
M n )) = f(E(M 1 ), E{M n )) and to restriction labels by E(a[M 1 , M n , 
]) = a[E(Mi), . . . , E(M n ),E(ii), . . . , E(i n >)} and E(b [a[ii, . . . , i n i}]) = 
bo[a[E(ii), . . . , E(i n >)]], so that it maps closed terms and restriction labels to types. 
The rules define the judgment E h P, which means that the process P is well-typed 
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in the environment P. We do not consider the case of conditionals here, since it is a 
particular case of destructor applications. 

We say that an instrumented semantic configuration S, E, V is well-typed, and we 
write h S, E, P, when it is well-labeled and E h P for all P G P. 

Proof sketch (of Theorem 1) Let P be the considered process and Pq = instr(P ). 
Let Q be an Jrwi-adversary and Q' = instrAdv(Q). Let Eq such that U Init C 

dom(Eo) and for all a G <iom(Po), Eo(a) = a[]. 

1. Typability of the adversary: Let P' be a subprocess of Q'. Let E be an envi- 
ronment such that Va G fn(P'), attacker(P(a)) G Pp',/™* an d G fv(P'), 
attacker(P(x)) G 3-p* j n it- (In particular, P is defined for all free names and 
free variables of P'.) We show that E h P', by induction on P'. This result is 
similar to [1, Lemma 5.1.4]. In particular, we obtain Eq h Q'. 

2. Typability of Pq: We prove by induction on the process P, subprocess of Pq, 
that, if (a) p binds all free names and variables of P, (b) TZp^j nit 3 [P]pP, (c) 
a is a closed substitution, and (d) aH can be derived from IZp^jmt U P mo , then 
up h P. This result is similar to [1, Lemma 7.2.2]. 

In particular, lZp>j nit 3 [Pg]p0, where p{«Ha[] | a G /n(Pg)}. So, with 
E = ap={a J?'a[] | a G fn(P^)}, P h Pq. A fortiori, P h Pq\ 

3. Properties of Pq, Q' : By Lemma 5, 5* , Eq, {Pq, Q'} is well-labeled. So, using 
the first two points, h 5 , P , {Po, Q'}- 

4. Substitution lemma: Let P' = P[x i— > P(M)]. We show by induction on M' 
that E(M'{M/x}) = E'(M'). We show by induction on P that, if E' h P, 
thenP h P{M/a:}. This result is similar to [1, Lemma 5.1.1]. 

5. Subject reduction: Assume that h 5", P, P and 5, P, P -> 5", P', P'. Further- 
more, assume that, if the reduction S,E,V — ► 5", P', P' executes event(M), 
thenm-event(P(M)) G P mo . Thenh S',E',V. This is proved by cases on the 
derivation of S,E,P — > S", P', P'. This result is similar to [1, Lemma 5.1.3]. 

6. Consider the trace T = S , E , {Pq, Q'} S',E',V. By the hypoth- 
esis of the theorem, if event (M) has been executed in T, then T satisfies 
event(P'(M)), so m-event(£"(M)) G P mc - If the reduction that executes 
event(M) is S,E,V -> S,E,V", we have P(M) = P'(M), since E' is an 
extension of P, and P already contains the names of M. Hence we obtain the 
hypothesis of subject reduction. So, by Items 3 and 5, we infer that all configu- 
rations in the trace are well-typed. 

When P = event (p), since T satisfies event (p), there exists M such that T 
satisfies event(M) and E'(M) = p. So T contains a reduction S\,E\,V\ U 
{event(M).P} -> Si, E 1} V\ U {P}. Therefore Pi h event (M).P, so 
event (Pi (M)) G Tp< Q ,i n it- Moreover, E X (M) = E'(M) since P' is an ex- 
tension of Pi, therefore event (E'(M)) = event (p) — F is derivable from 

TZ-P^Init UP mo- 
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When F = message(p,p'), since T satisfies message(p,p'), there exist M and 
M' such that T satisfies message(M, MQ, E'(M) = p, and E'(M') = p'. 
So T contains a reduction S 1 ,E 1 ,Vj_U (M(M').P, M(x).Q} S 1 ,E 1 ,V 1 U 
{P, Q{M/x}}. Therefore Si h ~M(M').P. This judgment must have been 
derived by (Output), so message(.Ei(M), Ei(M')) e ^Fp'jnit- Moreover, 
Ei(M) = F/(M) and Ei(M') = E'(M') since £' is°'an extension of 
£1, so message(F/(M), E'(M')) = message(p,p') = F is derivable from 
K 

P/.,Init U F qic • 

When F = attacker(p'), T also satisfies message(c[],p') for some c e Jmf. 
Therefore, by the previous case, message(c[],p') is derivable from 'R.p^jnit U 
f me . Since c e Init, attacker(c[]) is in TZp'j nit . So, by Clause (Rl), 
attacker(p') = F is derivable from Hp^init U F" mo . □ 

C Correctness of the Solving Algorithm 

In terms of security, the soundness of our analysis means that, if a protocol is found 
secure by the analysis, then it is actually secure. Showing soundness in this sense 
essentially amounts to showing that no derivable fact is missed by the resolution al- 
gorithm, which, in terms of logic programming, is the completeness of the resolution 
algorithm. Accordingly, in terms of security, the completeness of our analysis would 
mean that all secure protocols can be proved secure by our analysis. Completeness in 
terms of security corresponds, in terms of logic programming, to the correctness of the 
resolution algorithm, which means that the resolution algorithm does not derive false 
facts. 

The completeness of "binary resolution with free selection", which is our basic al- 
gorithm, was proved in [9, 35, 55]. We extend these proofs by showing that complete- 
ness still holds with our simplifications of clauses. (These simplifications are often 
specific to security protocols.) 

As a preliminary, we define a sort system, with three sorts: session identifiers, or- 
dinary patterns, and environments. Name function symbols expect session identifiers 
as their last k arguments where k is the number of replications above the restriction 
that defines the considered name function symbol, and ordinary patterns as other ar- 
guments. The pattern a[pi, . . . ,p n , ii,---,ik] is an ordinary pattern. Constructors / 
expect ordinary patterns as arguments and f(pi, . . . ,p n ) is an ordinary pattern. The 
predicates attacker and message expect ordinary patterns as arguments. The predi- 
cate event expects an ordinary pattern and, for injective events, a session identifier. 
The predicate m-event expects an ordinary pattern and, for injective events, an envi- 
ronment. We say that a pattern, fact, clause, set of clauses is well-sorted when these 
constraints are satisfied. 

Lemma 10 All clauses manipulated by the algorithm are well-sorted, and if a variable 
occurs in the conclusion of a clause and is not a session identifier, then it also occurs 
in non-m-event facts in its hypothesis. 
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Proof It is easy to check that all patterns and facts are well-sorted in the clause gener- 
ation algorithm. One only unifies patterns of the same sort. The environment p and the 
substitutions always map a variable to a pattern of the same sort. During the building 
of clauses, the variables in the image of p that are not session identifiers also occur in 
non-m-event facts in H, and the variables in the conclusion of generated clauses are in 
the image of p. Hence, the clauses in TZp^j nit satisfy Lemma 10. 

Furthermore, this property is preserved by resolution. Resolution generates a clause 
R" = a u H A a u H' => a u C from clauses R = H =>• C and R' = H' A F C that 
satisfy Lemma 10, where a u is the most general unifier of C and F . The substitution 
u u unifies elements of the same sort, so a u maps each variable to an element of the 
same sort, so R" is well-sorted. If a non-session identifier variable x occurs in <r u C, 
then there is a non-session identifier variable y in C such that x occurs in a u y. Then 
y occurs in non-m-event facts in the hypothesis of R', H' A Fq. First case: y occurs 
in non-m-event facts in H', so x occurs in <r u H', so x occurs in non-m-event facts 
in the hypothesis of R". Second case: y occurs in Fo, so x occurs in g u Fq = <r u C, 
so there is a non-session identifier variable z such that z occurs in C and x occurs in 
a u z, so z occurs in non-m-event facts in H, so x occurs in non-m-event facts in a u H, 
so x occurs in non-m-event facts in the hypothesis of R". In both cases, x occurs in 
non-m-cvcnt facts in the hypothesis of R". Therefore, R" satisfies Lemma 10. 

This property is also preserved by the simplification functions. □ 

Definition 17 (Derivation) Let F be a closed fact. Let 1Z be a set of clauses. A 
derivation of F from JZ is a finite tree defined as follows: 

1 . Its nodes (except the root) are labeled by clauses R e 7Z. 

2. Its edges are labeled by closed facts. (Edges go from a node to each of its sons.) 

3. If the tree contains a node labeled by R with one incoming edge labeled by Fo 
and n outgoing edges labeled by F\, . . . , F n , then R □ {F\, . . . , F n } => Fq. 

4. The root has one outgoing edge, labeled by F. The unique son of the root is 
named the subroot. 

In a derivation, if there is a node labeled by R with one incoming edge labeled by 
Fo and n outgoing edges labeled by Ft , . . . , F n , then the clause R can be used to infer 
Fo from Ft , . . . , F n . Therefore, there exists a derivation of F from 1Z if and only if F 
can be inferred from clauses in 7Z (in classical logic). 

The key idea of the proof of Lemma 2 is the following. Assume that F is derivable 
from TZ UF mc and consider a derivation of F from 7J UJ mc . Assume that the clauses 
R and R' are applied one after the other in the derivation of F. Also assume that these 
clauses have been combined by R o Fa R', yielding clause R". In this case, we replace 
R and R' with R" in the derivation of F. When no more replacement can be done, we 
show that all remaining clauses have no selected hypothesis. So all these clauses are in 
IZi = saturate(7?.o), and we have built a derivation of F from IZi. 

To show that this replacement process terminates, we remark that the total number 
of nodes of the derivation strictly decreases. 
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Next, we introduce the notion of data-decomposed derivation. This notion is useful 
for proving the correctness of the decomposition of data constructors. (In the absence 
of data constructors, all derivations are data-decomposed.) 

Definition 18 A derivation D is data-decomposed if and only if, for all edges rj' — > rj 
in D labeled by attacker(/(pi, . . . ,p n )) for some data constructor /, the node rf is 
labeled by a clause at t acker (/(xi, . . . , x n )) =4- attacker(xj) for some i or the node 
rj is labeled by the clause attacker(xi) A ... A attacker(x„) attacker(/(xi, . . . , 
x„)). 

Intuitively, a derivation is data-decomposed when all intermediate facts proved 
in that derivation are decomposed as much as possible using data-destructor clauses 
attacker(/(xi, . . . , x n )) attacker(xi) before being used to prove other facts. We 
are going to transform the initial derivation into a data-decomposed derivation. Further 
transformations of the derivation will keep it data-decomposed. 

The next lemma shows that two nodes in a derivation can be replaced by one when 
combining their clauses by resolution. 

Lemma 11 Consider a data-decomposed derivation containing a node rj' , labeled R'. 
Let F be a hypothesis of R'. Then there exists a son rj oft]', labeled R, such that the 
edge rj' — > rj is labeled by an instance of F , Ro Fa R' is defined, and, ifse\(R) = and 
F € sel(-R'), one obtains a data-decomposed derivation of the same fact by replacing 
the nodes rj and rj' with a node rj" labeled R" = R o Fo R'. 

Proof This proof is illustrated in Figure 8. Let R' = H' =>■ C, H[ be the multiset of 
the labels of the outgoing edges of vj ', and C[ the label of its incoming edge. We have 
R' 3 (H[ => C[), so there exists a such that crH' C H[ and aC = C[. Hence there 
is an outgoing edge of 7/ labeled <jF , since aF G H[. Let rj be the node at the end of 
this edge, let R = H => C be the label of rj. We rename the variables of R such that 
they are distinct from the variables of R'. Let Hi be the multiset of the labels of the 
outgoing edges of 77. So R □ (Hi (tFq). By the above choice of distinct variables, 
we can then extend a such that oH C H x and aC = <tF . 

The edge 7/ — > rj is labeled aF , instance of F . Since aC = crF , the facts C and 
F are unifiable, so R o Fo R' is defined. Let a' be the most general unifier of C and 
F , and a" such that a = a" a'. We have R o Fo R' = a'(H U (H 1 \ {F })) =^> a'C. 
Moreover, a"a'(H U (H' \ {F })) C H x U (H[ \ {vF }) and a" a'C = aC = C[. 
Hence R" = R o Fo R' □ (H 1 U {H[ \ {aF })) => C[. The multiset of labels of 
outgoing edges of rj" is precisely H\ U (H[ \ {<jF }) and the label of its incoming 
edge is C[, therefore we have obtained a correct derivation by replacing rj and 7/ with 
'/"• 

Let us show that the obtained derivation is data-decomposed. Consider an edge 
Vi ~ * Vi m tn i s derivation, labeled by F — attacker(/(pi ,p n )), where / is a data 
constructor. 

• If rj[ and rji are different from rj", then the same edge exists in the initial deriva- 
tion, so it is of the desired form. 
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Figure 8: Merging of nodes of Lemma 1 1 



• If 77^ = 7]", then there is an edge 77 — > 771 labeled by F in the initial 
derivation. Since the initial derivation is data-decomposed, 77 is labeled by 

R = attacker(/(xi, . . . , x n )) attacker(xi) or 771 is labeled by Ri — 
attacker(xi) A ... A attacker(x„) =>- attacker(/(xi, . . . , x n )). The former 
case is impossible because sel(i?) = 0. In the latter case, -qi is labeled by R lt so 
we have the desired form in the obtained derivation. 

• If 771 = 77", then there is an edge 7][ — ► r\' labeled by F in the initial 
derivation. Since the initial derivation is data-decomposed, rj[ is labeled by 
R[ = attacker (/ (xi, ... ,x n )) =>■ attacker(xi) or 77' is labeled by R' = 
attacker(xi) A ... A attacker(x„) =>■ attacker(/(xi, . . . , x n )). The latter case 
is impossible because sel(i?) ^ 0. In the former case, r)[ is labeled by R[, so we 
have the desired form in the obtained derivation. 

Hence the obtained derivation is data-decomposed. □ 

Lemma 12 If a node r\ of a data-decomposed derivation D is labeled by R, then one 
obtains a data-decomposed derivation D' of the same fact as D by relabeling r\ with a 
clause R! such that R' □ R. 

Proof Let H be the multiset of labels of outgoing edges of the considered node 77, 
and C be the label of its incoming edge. We have R □ H =>■ C. By transitivity of □, 
R' □ H => C. So we can relabel 77 with R'. 

Let us show that the obtained derivation D' is data-decomposed. Consider an edge 
Vi ~ * Vi m D', labeled by F = attacker (/(pi, ■ • ■ ,p„)), where / is a data constructor. 

• If 77J and 771 are different from 77, then the same edge exists in the initial derivation 
D, so it is of the desired form. 

• If 77^ = 77, then there is an edge r)[ — > 771 in D, labeled by F. Since D 
is data-decomposed, 77^ = 77 is labeled by R = attacker(/(xi, . . . , x n )) => 
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attacker^) or rji is labeled by R\ = attacker (2:1) A ... A attacker(a;„) =^> 
attacker(/(xi, . . . , x n )) in D. In the latter case, we have the desired form in 
D'. In the former case, let R' = H' => C. We have R' □ R, so there ex- 
ists a such that aH' C {attacker(/(xi, . . . ,x n ))} and aC — attacker(a;i). 
Hence C — attacker(t/) where ay — Xu and H' = or H' = attacker(z) 
with az = f(x\, . . . ,x n ) or H' = attacker(/(j/i, . . . , y n )) with ayj = Xj 
for all j < n. By Lemma 10, y occurs in H', so H' ^ 0. If we had 
H' = attacker(z), az ^ cry, so z ^ y, so this case is impossible. Hence 
H' = attacker(/(j/i, . . . , y n j). Moreover, ayj ^ ay for all j ^ i, so yj ^ y 
for all j 7^ i. Since y occurs in H', y — yi. Hence R' = R up to renaming, and 
we have the desired form in D'. 

• If 771 = r), then there is an edge rj[ — > rji in D, labeled by F. Since 
D is data-decomposed, r][ is labeled by R[ = attacker(/(a;i, . . . , x n )) => 
attacker(a;i) or rji =77 is labeled by R — attacker(xi) A ... A attacker(a;„) => 
attacker(/(xi, . . . , x n )) in D. In the former case, we have the desired form in 
D'. In the latter case, let R' = H' =4> C. We have R' □ R, so there exists a such 
that aH' C {attacker(xi), . . . , attacker(a; rl )} and aC — attacker(/(xi, . . . , 
x n )). Hence H 1 = Ajej attacker(yj) where J C {1, . . . , n} and uj/j = .Tj 
for all j G J, and C" = attackcr(y) with ay = f(x\, . . . , x n ) or C — 
attacker(/(yj, . . . , y' n )) with ay'j — Xj for all j < n. By Lemma 10, if 
C = attacker(y), y occurs in H', but this is impossible because ayj ^ ay 
for all j G J. So C = attacker(/(yj , . . . , y' n )). By Lemma 10, ^ occurs in H' 
for all j < n, so J = {1, . . . , n} and = for all j < n. Hence R' = R up 
to renaming, and we have the desired form in D'. 

Hence the obtained derivation D' is data-decomposed. □ 

Definition 19 We say that 1Z 3 Set 1Z' if, for all clauses R in 1Z', R is subsumed by a 
clause of 7Z. 

Lemma 13 IflZ □set TZJ and D is a data-decomposed derivation containing a node 
rj labeled by R G VJ , then one can build a data-decomposed derivation D 1 of the same 
fact as D by relabeling rj with a clause in 1Z. 

Proof Obvious by Lemma 12. □ 
Lemma 14 IfK □set TZ', then elim{1Z) 3 S et TZ '. 

Proof This is an immediate consequence of the transitivity of □. □ 

Lemma 15 At the end of saturate, TZ satisfies the following properties: 

1. For all R G TZq, TZ □set simplify (R); 

2. Let R G TZ and R' G TZ. Assume that sel(i?) = and there exists Fo G sel(ii') 
such that R o Fo R' is defined. In this case, TZ □set simplify(R o Fo R'). 
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Proof To prove the first property, let R 6 TZ$. We show that, after the addition of R 

to TZ, TZ 3set simplify (R). 

In the first step of saturate, we execute the instruction TZ <— elim (simplify (R) U 
TZ). We have simplify (R) U 7\L □set simplify (R), so, by Lemma 14, after execution 
of this instruction, TZ □set simplify (R). 

Assume that we execute TZ <— elim (simplify (R") U 7\L), and before this execution 
TZ □set simplify(R). Hence simplify (R! r ) U 7?. □set simplify(R), so, by Lemma 14, 
after the execution of this instruction, TZ □set simplify (R) . 

The second property simply means that the fixpoint is reached at the end of 
saturate, so TZ = elim(simplify(Ro Fo R') UTZ). Since simplify (R o Fo R') \JTZ 3set 
simplify(Ro Fg R'), by Lemma 14, elim(simplify(Ro Fo R')iJTZ) □set simplify (Ro Fo 
R'), so 7?. □set simplify(R o Fo R'). □ 

Lemma 16 Lef / e { elimattx, elimtaut, elimnot, elimredundanthyp, elimdup, 
decomp, decomphyp, simplify, simplify'}. 

If the data-decomposed derivation D contains a node r\ labeled R, then one obtains 
a data-decomposed derivation D' of the same fact as D or of an instance of a fact in 
Fnot by relabeling r\ with some R' <G f(R) or removing rj, and possibly deleting nodes. 
Furthermore, if D' is not a derivation of the same fact as D, then rj is removed. 

If D' contains a node labeled R' € f(R), then there exists a derivation D using R, 
the clauses of D' except R', and the clauses ofTZ that derives the same fact as D' . 

When R is unchanged by /, that is, f(R) = {R}, this lemma is obvious. So, in the 
proofs below, we consider only the cases in which R is modified by /. 

Proof (for elimattx) The direct part is obvious: R' is built from R by removing some 
hypotheses, so we just remove the subtrees corresponding to removed hypotheses of R. 

Conversely, let p be a closed pattern such that attackcr(p) is derivable from TZo- 
(There exists an infinite number of such p.) We build a derivation D by replacing R' 
with R in D and adding a derivation of attacker(p) as a subtree of the nodes labeled 
by R' in D. □ 

Proof (for elimtaut) Assume that R is a tautology. For the direct part, we remove rj 
and replace it with one of its subtrees. The converse is obvious since elimtaut(R) = 0. 

□ 



Proof (for elimnot) Assume that R contains as hypothesis an instance F of a fact 
in ^ not . Then elimnot (R) = 0. Since D is a derivation, a son r/ of rj infers an 
instance of F. We let D' be the sub-derivation with subroot rj' . D' is a derivation of an 
instance of a fact in JF not , so we obtain the direct part. The converse is obvious since 

elimnot(R) = 0. □ 

Proof (for elimredundanthyp) We have R = H A H' C, aH C H', a does not 
change the variables of H' and C, and R! = H' => C. 

For the direct part, R' is built from R by removing some hypotheses, so we just 
remove the subtrees corresponding to removed hypotheses of R. 
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For the converse, we obtain a derivation D by duplicating the subtrees proving 
instances of elements of H' that are also in oH and replacing R' with R. □ 

Proof (for elimdup) For the direct part, R' is built from R by removing some hy- 
potheses, so we just remove the subtrees corresponding to removed hypotheses of R. 

Conversely, we can form a derivation using R instead of R' by duplicating the 
subtrees that derive the duplicate hypotheses of R. □ 

Proof (for decomp and decomphyp) If R is modified by decomp or decomphyp, 
then R is of one of the following forms: 

• R = at t acker (/(pi, . . . ,p n )) A H C, where / is a data constructor (for both 

decomp and decomphyp). 

For the direct part, let rj' be the son of 77 corresponding to the hypothesis 
attacker(/(pi, . . . ,p n ))- The edge 77 > 77' is labeled by an instance of 
attacker(/(pi, . . . ,p n )), so, since D is data-decomposed, 77' is labeled by 
attacker(xi) A ... A attacker(x„) => attacker(/(xi, . . . , x n )). (The clause 
R that labels 77 cannot be attacker(/(xi, . . . , x n )) => attacker(xj), since this 
clause would be unmodified by decomp and decomphyp.) Then we build D' by 
relabeling 77 with R' = attacker(pi) A . . . A attacker (p n ) A H =4> C and deleting 
'/'• 

For the converse, we replace R' — attacker(pi) A ... A attacker(p„) A H => C 
in D' with attacker(xi) A ... A attacker(x„) =>■ attacker(/(a;i, . . . , x n )) and 
R = attacker(/(jJi, . . . ,p n )) A H =>■ C in D. 

• R = H => attacker(/(jji, . . . ,p n )), where / is a data constructor (for decomp 
only). 

For the direct part, let 77' be the father of r\. The edge 77' * 77 is labeled by an in- 
stance of attacker(/(pi, . . . ,p n )), so, since D is data-decomposed, rj is labeled 
by attacker(/(xi, . . . , x n )) ^ attacker(xi) for some i. (The clause R that la- 
bels -q cannot be attacker(xi) A . . . Aattacker(x„) =>- attacker(/(xi, . . . , x n )) 
since this clause would be unmodified by decomp.) Then we build D' by rela- 
beling rj with R' = H attacker^) and deleting 77'. 

For the converse, we replace R' = H => attacker(pj) in D' with R = H 
attacker(/(pi, . . . ,p n )) and attacker(/(xi, . . . , x n )) => attacker(xi) in D. □ 

Proof (for simplify and simplify') For simplify and simplify' , the result is obtained 
by applying Lemma 16 for the functions that compose simplify and simplify' . □ 

Proof of Lemma 2 Let F be a closed fact. If, for all F' G J~not, no instance of F' 
is derivable from saturate(7?-o) U f mc , then F is derivable from TZq U JF mc if and only 
if F is derivable from saturate(7?-o) U 

Proof Assume that F is derivable from TZq U T me and consider a derivation of F 
from TZq U f me , We show that F or an instance of a fact in JT not is derivable from 
saturate^) U J mc . 
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Figure 9: Construction of a data-decomposed derivation 



We first transform the derivation of F into a data-decomposed derivation. We say 
that an edge 77' — > 77 is offending when it is labeled by Ff — at t acker (/(pi, . . . ,p n )) 
for some data constructor /, rf is not labeled by Rf^ = at t acker (/(xi, . . . , x n )) => 
attacker(xi) for some i, and i] is not labeled by Rf = attacker(xi) A ... A 
attackcr(x„) =>■ attacker(/(xi, . . . , x n )). We consider an offending edge rf — > r/ 
such that the subtree D of root 77 contains no offending edge. We copy the subtree D, 
which concludes Ff, n times and add the clauses i2/,j for i = 1, . . . n, to conclude 
Ff t i = attacker(pi), then use the clause Rf to conclude Ff again, as in Figure 9. This 
transformation decreases the total number of data constructors at the root of labels of 
offending edges. Indeed, since there are no offending edges in D, the only edges that 
may be offending in the new subtree of root 7/ are those labeled by F\, . . . , F n . The 
total number of data constructors at the root of their labels is the total number of data 
constructors at the root of pi, . . . ,p n , which is one less than the total number of data 
constructors at the root of f(pi, ■ ■ ■ ,p n )- Hence, this transformation terminates and, 
upon termination, the obtained derivation contains no offending edge, so it is data- 
decomposed. 

We consider the value of the set of clauses 1Z at the end of saturate. For each 
clause R in IZq, 1Z □sot simplify(R) (Lemma 15, Property 1). Assume that there 
exists a node labeled by R 6 TZo \ 1Z in this derivation. By Lemma 16, we can replace 
R with some R" 6 simplify (R) or remove R. (After this replacement, we may obtain a 
derivation of an instance of a fact in JF not instead of a derivation of F.) If R is replaced 
with R", by Lemma 13, we can replace R" with a clause in 1Z. This transformation 
decreases the number of nodes labeled by clauses not in 1Z. So this transformation 
terminates and, upon termination, no node of the obtained derivation is labeled by a 
clause in IZo \ 1Z. Therefore, we obtain a data-decomposed derivation D of F or of an 
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instance of a fact in J- no t from 1Z U T mc . 

Next, we build a data-decomposed derivation of F or of an instance of a fact in 
from IZi U f mc , where IZi = saturate(T^o)- If D contains a node labeled by a clause 
not in 1Z\ U f me , we can transform D as follows. Let 77' be a lowest node of D labeled 
by a clause not in 1Z\ U J 7 ^. So all sons of 7/ are labeled by elements of IZi U^me- Let 
R! be the clause labeling 77'. Since R' ^KxU JF me , sel(-R') 7^ 0. Take F e sel(-R'). 
By Lemma 11, there exists a son of 77 of 77' labeled by i?, such that R o Fo R' is defined. 
Since all sons of 77' are labeled by elements of IZi U f mc , R £ IZi U J" me . By definition 
of the selection function, F is not a m-event fact, so R £ T nlc , so R £ TZ\. Hence 
sel(-R) = 0. So, by Lemma 15, Property 2, 1Z 3set simplify (R o Fo R'). So, by 
Lemma 11, we can replace 77 and 77' with 77" labeled by R o Fo R'. By Lemma 16, we 
can replace R o Fo R' with some R'" £ simplify(R o Fo R') or remove R o Fo R'. 

• If R o Fg R' is replaced with R'", then by Lemma 13, we can replace R'" with 
a clause in 1Z. The total number of nodes strictly decreases since 77 and 77' are 
replaced with a single node. 

• If Ro Fo R' is removed, then the total number of nodes strictly decreases since 77 
and 77' are removed. 

So in all cases, we obtain a derivation D' of F or of an instance of a fact in JT not 
from 1Z U f mc , such that the total number of nodes strictly decreases. Hence, this 
replacement process terminates. Upon termination, all clauses are in IZi U J- mc . So 
we obtain a data-decomposed derivation of F or of an instance of a fact in JT not from 
IZi U Tmc which is the expected result. 

For the converse implication, notice that if a fact is derivable from IZi then it is 
derivable from 1Z, and that all clauses added to 1Z do not create new derivable facts: 
when composing two clauses R and R', the created clause can derive facts that could 
also by derived by R and R'. □ 

Proof of Lemma 3 Let F' be a closed instance of F. If, for all F" £ ^not, 
derivable(F", IZi) = 0, then F' is derivable from 1Z\ U T mc if and only if there exist 
a clause H =>■ C in derivable(F, IZi) and a substitution a such that aC = F' and all 
elements of aH are derivable from 1Z\ U f mc . 

Proof Let us prove the direct implication. Let T = {(F, F')} U {(F", aF") \ F" e 
TnotjV any substitution}. We show that, if F' is derivable from IZi U f mc , then there 
exist a clause H =>■ C in derivable(F g , 1Z\) and a substitution a such that (F g , aC) £ 
T and all elements of aH are derivable from 1Z\ U T mc . (This property proves the 
desired result. If, for all F" £ T w t, derivable(F", 1Z\) = and F' is derivable from 
1Z\ U f me , then there exist a clause H C in derivable(F g , TZi) and a substitution a 
such that (F g , aC) £ T and all elements of aH are derivable from 1Z\ U T mc . Since, 
for all F" £ J" no t, derivable(F",^i) = 0, we have F e = F and F <£ T not . Since 
(F, aC) £ T, we have then aC = F' .) 

Let T> be the set of derivations D' of a fact F; such that, for some F e and 
TZ, (F g ,Fi) £ T, the clause R! at the subroot of D' satisfies deriv(i?', 1Z, IZi) C 
derivable(F g ,^i) and Vi?" £ 1Z,R" 2 R', and the other clauses of D' are in 
Ri U f me . 
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Let attacker' be a new predicate symbol. Let D be a derivation. If D is a deriva- 
tion of attacker(p), we let D' be the derivation obtained by replacing the clause 
H => attacker(pi) with H => attacker' (pi) and the fact attacker(p) derived by 
D with attacker' (p). If D is not a derivation of attacker(p), we let D' be D. We 
say that the derivation D is almost-data-decomposed when D' is data-decomposed. 
We first show that all derivations D in V are almost-data-decomposed. Let D' be the 
transformed derivation as defined above. Let 77' — > 77 be an edge of D' labeled by 
F = attacker(/(pi, . . . ,p n )), where / is a data constructor. This edge is not the out- 
going edge of the root of D' , because D' does not conclude attacker(p) for any p. So 
the clause that labels 77 is of the form R = H =>■ attacker(p) and it is in Hi . In order 
to obtain a contradiction, assume that p is a variable x. Since sel(i?) = 0, H contains 
only unselectable facts. By Lemma 10, x occurs in non-m-event facts in H, so H 
contains attackcr(a;). So R is a tautology. This is impossible because R would have 
been removed from Hi by elimtaut. So p is not a variable. Hence p = f(p[, . . . ,p' n ). 
If R was different from attacker(xi) A ... A attacker(x„) => attacker(/(xi, . . . , 
x n )), R would have been transformed by decomp, so R would not be in H\. Hence 
R = attacker(a;i) A . . . A attacker(x n ) => attacker (/(a;i, . . . , x n )). Therefore, 
D' is data-decomposed, so D is almost-data-decomposed. Below, when we apply 
Lemma 11, 16, or 12, we first transform the considered derivation D into D' , apply 
the lemma to the data-decomposed derivation D', and transform it back by replacing 
attacker' with attacker. We obtain the same result as by transforming D directly, be- 
cause the simplifications of simplify' apply in the same way when the conclusion is 
attacker(p) or attacker' (p), since simplify' uses decomphyp instead of decomp and 
does not use elimtaut. 

Let Do be a derivation of F' from IZi U F mc . Let D' be obtained from Do by 
adding a node labeled by {F} => F at the subroot of Do- By definition of derivable, 
deriv(i?', 0, Tlx) C derivable(F, Tlx), and Vi?" e 0, R" 2 R' . Hence D' is a deriva- 
tion of F' in V, so V is non-empty. 

Now consider a derivation D\ m V with the smallest number of nodes. The 
clause R! labeling the subroot 77' of D x satisfies (F g ,Fi) G T, deriv(i?', TZ, TZx) C 
derivable(F g , Hi), and VR" G 1Z,R" 2 R' ■ ^ n order to obtain a contradiction, we 
assume that sel(-R') 7^ 0. Let F G sel(i?'). By Lemma 11, there exists a son 77 of 
77', labeled by R, such that Ro F(i R' is defined. By hypothesis on the derivation D\, 
R G Hi U F mc . By the choice of the selection function, _Fo is not a m-cvcnt fact, so 
R F mc , so R G Hi. Let Ro = Ro Fo R'. So, by Lemma 11, we can replace R' with 
Ro, obtaining a derivation D2 of f| with fewer nodes than D\. 

By Lemma 16, we can either replace Ro with some R' G simplify' (Ro) or remove 
Ro, yielding a derivation D3. 

• In the latter case, D 3 is a derivation of a fact F( which is either F; or an instance 
of a fact Fg in T not . If F{ = F, we let F^ = F g . So (F g , F/) G F. 

We replace R Q with i? = F' g ==> Fg in £> 2 . Hence we obtain a derivation with 
fewer nodes than Di and such that deriv(F , 0, 1Z\) C derivable(F' Hi) and 
Vi?i G 0, i?i 2 ^o- S° we nave a derivation in V with fewer nodes than D\, 
which is a contradiction. 
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• In the former case, D$ is a derivation of 7*1, and deriv(7?o, {R 1 } U 72, 72i) C 
deriv(7?',72, 72i) C derivable(F g , 72i) (third case of the definition of deriv(7?', 

72,720). 

- If Viii G {7?'} U 72., Ri 2 #o> £>3 is a derivation of J- in V, with fewer 
nodes than D\, which is a contradiction. 

- Otherwise, 3R\ G {-/?'} U 72, 7?i 3 7?q. Therefore, by Lemma 12, we can 
build a derivation D4 by replacing R' with 7?i in D3. There is an older 
call to deriv, of the form deriv(7?i, 72', 72i), such that deriv(7?i, 72', 72i) C 
derivable(i 7 'g, 72i). Moreover, 7?! has been added to 72' in this call, 
since 7?! appears in {7?'} U 72. Therefore the third case of the defini- 
tion of deriv(7? 1 ,72',72i) has been applied, and not the first case. So 
V7? 2 G 72', 7? 2 2 Ri> so trie derivation 7J 4 is in V and has fewer nodes 
than 7?i, which is a contradiction. 

In all cases, we could find a derivation in T> that has fewer nodes than D\. This is a 
contradiction, so sel(7?') = 0, hence R' G derivable(F g , 72i). The other clauses of this 
derivation are in 72 1 U T mc . By definition of a derivation, R' □ 77' => 7*1 where 77' 
is the multiset of labels of the outgoing edges of the subroot of the derivation. Taking 
R' = 77 => C, there exists a such that aC = F; and (t77 C 77', so all elements of aH 
are derivable from 72 1 U T mc . We have the result, since (F g , F;) e T. 

The proof of the converse implication is left to the reader. (Basically, the clause 
7? o Fo 7?' does not generate facts that cannot be generated by applying 7? and 7?'.) □ 

D Termination Proof 

In this section, we give the proof of Proposition 3 stated in Section 8.1. We denote by 
P a tagged protocol and let Pq = instr(P )- We have the following properties: 

• By Condition C2, the input and output constructs in the protocol always use a 
public channel c. So the facts message(c, p) are replaced with attacker(p) in all 
clauses. The only remaining clauses containing message are (Rl) and (Rs). Since 
message^, y) is selected in these clauses, the only inference with these clauses 
is to combine (Rs) with (Rl), and it yields a tautology which is immediately 
removed. Therefore, we can ignore these clauses in our termination proof. 

• By hypothesis on the queries and Remark 3, the clauses do not contain m-event 
facts. 

In this section, we use the sort system defined at the beginning of Appendix C 
(Lemma 10). 

The patterns of a fact pred(pi , . . . , p n ) are p\ , . . . , p n . The patterns of a clause 7? 
are the patterns of all facts in 7?, and we denote the set of patterns of 7? by patterns (R). 
A pattern is said to be non-data when it is not of the form /(...) with / a data con- 
structor. The set sub(S) contains the subterms of patterns in the set S. Below, we use 
the word "program" for a set of clauses (that is, a logic program). 
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Definition 20 (Weakly tagged programs) Let So be a finite set of closed patterns and 
tagGen be a set of patterns. 

A pattern is top-tagged when it is an instance of a pattern in tagGen. 

A pattern is fully tagged when all its non-variable non-data subterms are top-tagged. 

Let 7?.p ro tAdv be the set of clauses R that satisfy Lemma 10 and are of one of the 
following three forms: 

1 . 7^p r otocoi contains clauses R of the form Fi A . . . A F n F where for all i, Fj 
is of the form attacker(p) for some p, F is of the form attacker(p) or event(p) 
for somep, there exists a substitution a such that patterns(aR) C sub(S ), and 
the patterns of R are fully-tagged. 

2. 7£constr contains clauses of the form attacker(a;i) A ... A attacker(x„) =^> 
attacker(/(xi, . . . , x n )) where / is a constructor. 

3. T^Dcstr contains clauses of the form attacker (/(pi, ■ • ■ ,Pn)) A attacker(a;i) A 
... A attacker (a: ^ ) =>■ attacker(x) where / is a constructor, p\ , . . . , p n are fully 
tagged, x is one of p\, . . . ,p n , and f(pi, . . . ,p n ) is more general than every 
pattern of the form /(. . .) in sub(So). 

A program TZo is weakly tagged if there exist a finite set of closed patterns So and a set 
of patterns tagGen such that 

Wl. TZo is included in 7£p ro tAdv 

W2. If two patterns p\ and p 2 in tagGen unify, p\ is an instance of p\ in sub(So), 
and p' 2 is an instance of p 2 in sub(So), then p\ = p' 2 . 

Intuitively, a pattern is top-tagged when its root function symbol is tagged (that 
is, it is of the form f((ct, Mi, . . . , M n ), ...)). A pattern is fully tagged when all its 
function symbols are tagged. 

We are going to show that all clauses generated by the resolution algorithm are 
in 7?.protAdv Basically, the clauses in 7^p ro tocoi satisfy two conditions: they can be 
instantiated into clauses whose patterns are in sub(So) and they are tagged. Then, all 
patterns in clauses of 7\Lp ro tocoi are instances of tagGen and have instance in sub(So). 
Property W2 allows us to show that this property is preserved by resolution: when 
unifying two patterns that satisfy the invariant, the result of the unification also satisfies 
the invariant, because the instances in sub(So) of those two patterns are in fact equal. 
Thanks to this property, we can show that clauses obtained by resolution from clauses 
in 7?.p r otocoi are still in 7?.p ro tocoi- To prove termination, we show that the size of 
generated clauses decreases, for a suitable notion of size defined below. The clauses of 
7^-Constr and 7^Destr are needed for constructors and destructors. Although they do not 
satisfy exactly the conditions for being in 7?.p ro tocoh their resolution with a clause in 
^Protocol yields a clause in 7£ Pro tocoi- 

Let Paramspk and Paramshost be the sets of arguments of pk resp. host in the 
terms that occur in the trace of Condition C5. Let condense(lZo) be the set of clauses 71 
obtained by TZ <— 0; for each R 6 7Zo,7Z <— elim(simplify(R)U7Z). We first consider 
the case in which a single long-term key is used, that is, Params p k and Paramshost 
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E,VD {0},M -> E,V,M (Red Nil') 

E, V U { VP }, M -» £[i i * Id ], P U { P{ld /i} },MU {Id } (Red Repl') 

E,VU{P\Q},M^ E,VU{P,Q},M (Red Par') 

£,PU{(i/a: £)P } -► E[a ^ E(l)],V U{P},MU{M 1 ,...,M n ,a) 

(Red Res') 

E,Vyj{c{M).Q},M -> E,P U {Q},MU {M} (Red Out') 

E,VU{ c(x).P },M^ E[x i > E(M)],P U { P{M/x} }, X if M e M 

(Red In') 

E, V U { Zei x = g{M u . . .,M n ) in P elseO},M -> 

E[x i ^ E(M')],P U { P{M'/x} },MU {M lt ...,M n , M'} (Red Destr 1') 

if g(M 1 ,...,M n ) -f M' 
E,PU{event(M).Q},A4 ^£,PU{Q},XU {M} (Red Event') 

Figure 10: Special semantics for instrumented processes 

have at most one element. The results will be generalized to any number of keys at 
the end of this section. The next proposition shows that the initial clauses given to the 
resolution algorithm form a weakly tagged program. 

Proposition 4 If Po is a tagged protocol such that Params p k and Params host have 
at most one element and Pq = instr(Po), then condense (IZp^init) is a weakly tagged 
program. 

Proof sketch The fully detailed proof is very long (about 8 pages) so we give only 
a sketch here. A similar proof (for strong secrecy instead of secrecy and reachability) 
with more details can be found in the technical report [16, Appendix C]. 

We assume that different occurrences of restrictions and variables have different 
identifiers and identifiers different from free names and variables. In Figure 10, we 
define a special semantics for instrumented processes, which is only used as a tool in 
the proof. A semantic configuration consists of three components: an environment 
E mapping names and variables to patterns, a multiset of instrumented processes V, 
and a set of terms A4. The semantics is defined as a reduction relation on semantic 
configurations. In this semantics, (va) creates the name a, instead of a fresh name a'. 
Indeed, creating fresh names is useless, since the replication does not copy processes 
in this semantics, and the names are initially pairwise distinct. 

LetPo = {a^a[}\ a e fn(P )}. We show that £ , {P{,},fn{P ) E',$,M', 
for some E' and M! , such that the second argument of pencrypt p in M! is of the form 
pk(M) and the arguments of pk and host in M! are atomic constants in Params p k 
and Params host respectively. This result is obtained by simulating in the semantics of 
Figure 10 the trace of Condition C5. Moreover, the second argument of pencrypt p in 
M! is of the form pk(M) by Condition C6 and the arguments of pk and host in M! 
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are atomic constants in Params p k and Params host respectively, by Condition C7 and 
definition of Params p k and Params host- 
Let us define So — E'(M') U {&o[Ido]}- If Params p k is empty, we add some 
key k to it, so that Params p k = {k}. Let c, c', c", c'" be constants. If So contains 
no instance of sencrypt(x, y), we add sencrypt((c, c'),c") to So- If So contains no 
instance of sencrypt p (x, y, z), we add sencrypt p ((c, c'),c", c'") to So- If So contains 
no instance of pencrypt p (x,y, z), we add pencrypt p ((c,c'), pk(k),c") to So- If So 
contains no instance of sign(x,y), we add sign((c,c'),k) to So- If So contains no 
instance of nmrsign(x, y), we add nmrsign((c, c'), k) to So- So So is a finite set of 
closed patterns. Intuitively, So is the set of patterns corresponding to closed terms that 
occur in the trace of Condition C5. 

Let E t be E in which all patterns a[. . .] are replaced with their corresponding term 
a. In all reductions E , {Pq},/?i(Po) — >* E, P, M, all patterns of the form a[. . .] in 
the image of E are equal to E(a), so E o E t — E. We show the following result by 
induction on P: 

Let P be an instrumented process, subprocess of Pq. Assume that E , 
{P^},fn(P ) -►* E,V U {E t (P)},M ->* E',9,M', and that there 
exists a' such that E'^ dom ^ = a' o p and patterns (a' H) C sub(So)- Then 
for all R £ \P\pH, there exists a" such that patterns(<j" R) C sub(So)- 

Let po — {a i— > a[] | a G /n(P )}- By applying this result to P = Pq, we obtain that 
for all clauses R in [Pq]/5o0, there exists a substitution a such that patterns(aR) C 
su&(So). 
Let 

tagGen = {f((cti,xi, . . . ,x n ),x' 2 , . . -,x' n ,) 

f £ {sencrypt, sencrypt p , pencrypt p , sign, nmrsign, h, mac}} 
U {a[xi, . . . , x n ] | a name function symbol} 
U {pk(x), host(x)} U {c | c atomic constant} 

We show the following result by induction on P: 

Assume that the patterns of the image of p and of H are fully tagged. 
Assume that P is an instrumented process, subprocess of Pq. For all R £ 
\P\pH, patterns (R) are fully tagged. 

This result relies on Condition C3 to show that the created terms are tagged, and on 
Condition C4 to show that the tags are checked. By applying this result to P — Pq, we 
obtain that for all R £ [Pq]/9 O 0, the patterns of R are fully tagged. 
By the previous results, [Pq]p o C 7?.p ro tocoi- 

The clauses (Rf) are in 7?.Constr- The clauses (Init) and (Rn) are in 7?.p ro tocoi given 
the value of So- The clauses (Rg) for nthi, sdecrypt, sdecrypt p , pdecrypt p , and 
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getmessage are: 



attacker((a; 1 , . . . , x n )) =4> attacker(x i ) (nthi) 

&tt&cker(sencrypt(x,y)) A attacker(y) =>■ attacker(a;) (sdecrypt) 

attackei(sencrypt p (x, y, z)) A attacker(y) => attacker(x) (sdecrypt p ) 

att&cker(pencrypt p (x, pk(y), z)) A attacker(y) attacker(a;) (pdecrypt p ) 

&tt&cker(sign(x,y)) =>• attacker(a;) (getmessage) 

and they are in 7?-Dcstr provided that all public-key encryptions in So are of the form 
pencrypt p (pi,pk(p2),P3) (that is, Condition C6). The clauses for checksignature and 
nmrchecksign are 

attacker(si(7n(x, y)) A attacker(pfc(y)) =4- attacker(x) (checksignature) 

&tta,cker(nmrsign(x , y)) A attacker(pfc(y)) A attacker(x) attacker(irae) 

(nmrchecksign) 

These two clauses are subsumed respectively by the clauses for getmessage (given 
above) and true (which is simply attacker(irae) since true is a zero-ary construc- 
tor), so they are eliminated by condense, i.e., they are not in condense(1Zp^i nit ). 
(This is important, because they are not in TZriesti-) Therefore all clauses in 
condenseiJZp^init) are in 7?.p ro tAdv, since the set of clauses 7?.p ro tAdv is preserved 
by simplification, so we have Condition Wl. 

Different patterns in tagGen do not unify. Moreover, each pattern in tagGen has at 
most one instance in sub(So). For pk(x) and host(x), this comes from the hypothesis 
that Paramspt and Paramshost have at most one element. For atomic constants, this 
is obvious. (Their only instance is themselves.) For other patterns, this comes from 
the fact that the trace of Condition C5 executes each program point at most once, and 
that patterns created at different programs points are associated with different symbols 
(/, c) for /((c, ...),...) and a for a[. . .]. (For /((c, ...),...), this comes from Condi- 
tion C3. For a[. . .], this is because different restrictions use a different function symbol 
by construction of the clauses.) So we have Condition W2. □ 

The next proposition shows that saturation terminates for weakly tagged programs. 

Proposition 5 Let TZq be a set of clauses. If condense(lZo) is a weakly tagged pro- 
gram (Definition 20), then the computation o/saturate(7?-o) terminates. 

Proof This result is very similar to [20, Proposition 8], so we give only a brief sketch 
and refer the reader to that paper for details. 

We show by induction that all clauses R generated from TZq are in 7?.p ro tocoi U 
7^-Constr U 7?-Destr and the patterns of attacker facts in clauses R in 7^p ro tocoi are non- 
data. 

First, by hypothesis, all clauses in condense(lZo) satisfy this property, by definition 
of weakly tagged programs and because of the decomposition of data constructors by 

decomp. 
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If we combine by resolution two clauses in 7\Lconstr U 7?-Dostr, we in fact combine 
a clause of 7?-constr with a clause of TZD CStI . The resulting clause is a tautology by 
definition of 7?-constr and 7?-Dcstr, so it is eliminated by elimtaut. 

Otherwise, we combine by resolution a clause R in 7?.p ro tocoi with a clause R' 
such that R' G ^protocol, sel(i?') = 0, and se\(R) ^ 0, or R' G ft Con str, or R' G 
7?.Dostr- Let R" be the clause obtained by resolution of R and R' . We show that the 
patterns of R" are fully tagged, and for each a such that patterns(aR) C sub(So), 
there exists a" such that patterns (a" R") C sub(So) and size(a"R") < size(aR), 
where the size is defined as follows. The size of a pattern size(p) is defined as usual, 
sue(attacker(p)) = size(event(p)) = size(p), and size(Fi A . . . A F n =>■ F) = 
size(Fi) + . . . + size(F n ) + size(F). 

Let R s 6 simplify (R"). The patterns of R s are non-data fully tagged, 
patterns {a" R s ) C sub(So), and size(a"R s ) < size{a" R") < size(aR). So 
i? s G 7^-Protocoi and its patterns are non-data. 

Moreover, for all generated clauses R, there exists a such that size(aR) is smaller 
than the maximum initial value of size(aR) for a clause of the protocol. There is a fi- 
nite number of such clauses (since size(R) < size(aR)). So saturate(7?.o) terminates. 

□ 

Next, we show that derivable terminates when it is called on the result of the satu- 
ration of a weakly tagged program. 

Proposition 6 If F is a closed fact and IZi is a weakly tagged program simplified by 
simplify such that, for all R G Hi, sel (i?) = 0, then derivable^, terminates. 

Proof We show the following property: 

For all calls deriv(i?, TZ, Ki), R = F => F or R = attacker(pi) A ... A 
attacker(p„ ) =4- F where pi , . . . , p n are closed patterns. 

This property is proved by induction. It is obviously true for the initial call to deriv, 
deriv(F =>- F, 0, IZi). For recursive calls to deriv, deriv(_R", TZ, 1Z\), the clause R" is 
in simplify 1 (R' o Fo R), where R' = attacker(xi) A ... A at t acker (x/c) =4- F' since 
R' G IZi and R = F^-FovR = attackcr(pi) A ... A attacker(p„) => F where 
pi, . . . ,p n are closed patterns, by induction hypothesis. After unification of F' and Fq, 
Xi is substituted by a closed pattern p\ (subpattern of F , and F is closed since F is 
a hypothesis of R), since xi appears in F' . (If Xi did not appear in F', attacker(xi) 
would have been removed by elimattx.) 

If R = F => F, R' o Fo R — attacker^) A ... A attacker(p' fc ) F has only 
closed patterns in its hypotheses, and so has the clause R" in simplify' '(R' o Fo R). 

Otherwise, R = attacker^) A ... A attacker(p n ) =4> F, F = attacker(pi), 
and pi is a closed pattern. We have R' o Fo R = attacker^) A ... A attacker(p' fe ) A 
attacker(p!) A ... A attacker^-i) A at t acker (pi+i) A ... A attacker(p„) ^> F, 
which has only closed patterns in its hypotheses, and so has the clause R" in 
simplify 1 (R' o Fo R). Moreover, p[, . . . ,p' k are disjoint subterms of pi, therefore the 
total size of p[, . . . ,p' k is strictly smaller than the size of pi. (If we had equality, 
F' would be a variable; this variable would occur in the hypothesis by definition of 
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7^-ProtAdv, so R' would have been removed by elimtaut.) Therefore the total size of 
the patterns in the hypotheses strictly decreases. (The simplification function simplify' 
cannot increase this size.) This decrease proves termination. □ 

From the previous results, we infer the termination of the algorithm for tagged pro- 
tocols, when ParamSpk and Params host have at most one element. The general case 
can then be obtained as in [20]: we define a function OneKey which maps all ele- 
ments of Params v k and Params host to a single atomic constant. When P is a tagged 
protocol, OncKey(Po) is a tagged protocol in which Params p k and Paramshost are 
singletons. We consider a "less optimized algorithm" in which elimination of duplicate 
hypotheses and of tautologies are performed only for facts of the form attacker (2;), 
elimination of redundant hypotheses is not performed, and elimination of subsumed 
clauses is performed only for eliminating the destructor clauses for checksignature 
and nmrchecksign. We observe that the previous results still hold for the less opti- 
mized algorithm, with the same proof, so this algorithm terminates on OncKey(Po). 
All resolution steps possible for the less optimized algorithm applied to Pq are possi- 
ble for the less optimized algorithm applied to OncKey(Po) as well (more patterns are 
unifiable, and the remaining simplifications of the less optimized algorithm commute 
with applications of OneKey). Hence, the derivations from lZp^i nit are mapped by 
OneKey to derivations from 1ZoneKey(P'),init> which are finite, so derivations from 
IZp'jnit are also finite, so the less optimized algorithm terminates on P . We can then 
show that the original, fully optimized algorithm also terminates on P . So we finally 
obtain Proposition 3. 

E General Correspondences 

In this appendix, we prove Theorem 5. For simplicity, we assume that the function 
applications at the root of events are unary. 

Lemma 17 Let P be a closed process and Pq = instr'(P ). Let Q be an Init- 
adversary and Q' = instrAdv(Q). Assume that, in Pq, the arguments of events are 
function applications. Let f be a function symbol. Assume that there is a single oc- 
currence of event (/(_)) in Pq and this occurrence is under a replication. Consider 
any trace T = So, E , {Pq, Q'} — >* S', E', T" . The multiset of session identifiers A of 
events event(/(_), A) executed in T contains no duplicates. 

Proof Let us define the multiset Sld(P) by SM(event(/(M), A).P) = {A} U 
Sld(P) (for the given function symbol /), SId(\ l P) = 0, and in all other cases, 
Sld(P) is the union of the Sld(P') for all immediate subprocesses P' of P. For a 
trace T, let SId(T) be the set of session identifiers A of events event(/(_), A) exe- 
cuted in the trace T. 

We show that, for each trace T = S , E , {Po, Q'} -►* S',E',V, Sld(T) U 
UpgT" Sld(P) U S' contains no duplicates. The proof is by induction on the length of 
the trace. 

For the empty trace T = S , E , {P„, Q'} ^* S , E , {P^ Q'}, Sld(T) = and 
Sld(P^) U SId(Q) = by definition. 
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The reduction (Red Repl) moves at most one session identifier from S' to 
UpeP' Sld(P) (without introducing duplicates since there is one occurrence of 
event (/(_), _)). The reduction (Red Event) moves at most one session identifier from 
{J PeV , Sld(P) to SId(T). The other reductions can only remove session identifiers 
from UpeP' Sld(P) (by removing subprocesses). □ 

Lemma 18 Let P = C[event(f(M)).D[event(f m - CVCDt (M,x).P}}, where no 
replication occurs in D[] above the hole [], and the variables and names bound in 
Po are all pairwise distinct and distinct from free names. Assume that, in Pq, the ar- 
guments of events are function applications, and that there is a single occurrence of 
event(/(_)) and of event (/m-cvcnt^ _)) fjJ p Q 

Let Q be an Init-adversary and Q' = instrAdv(Q). Let Pq = instr'(P ). Con- 
sider a trace of Pq. - T = So, Eq, Vo = {Pq, Q'} — >* S Tt , E T{ , V Tt . 

Then there exists a function 1 such that a) if event (/ m_event (p,p')> A) is executed 
at step t in T for some X,p,p', t, then event (/(p), A) is executed at step ^'(r) in T, 
b) (p 1 is injective, and c) if ^'(r) is defined, then ^'(t) < r. 

Proof We denote by S T , E Tl V T the configuration at the step r in the trace T. Let 

S' 1 (r) = {(A,p) | event(/(p), A) is executed in the first r steps of T}, 
S 2 (t) = {(X,p) | event(/ m - cvcnt (p,p'),A) is executed in the first r steps ofT} 
S* 3 (r) = {(X,p) | event(/ m - cvont (M, M'), A) occurs not under event(/(M), A) in 
V T for E T (M) = p} 

For each r, we show that 5 2 (r) U 5 3 (r) C S 1 ^). 

• For r = 0, the sets 5 1 (t), S 2 (t), and 5 3 (t) are empty. 

• If S T , E T , V T — > <SV+i j -Er+i j Pt+i using (Red Event) to execute event(/(M), 
A), then the same (X,E T+ i(M)) is added to S 3 (t + 1) and to S 1 ^ + 1). 
Similarly, for (Red Event) executing event(/ m ~ cvcnt (Af, M'), A), a pair (A, 
E T+ i(M)) is moved from S 3 (t) to 5 2 (r + 1). These chan ges preserve the 
desired inclusion. 

• Otherwise, if S T ,E T ,V T -> SV+i, £ T +i, P T+1 , then 5 x (r + 1) = S^r), 
5 2 (r + 1) = 5 2 (t), and S 3 (t + 1) C 5 3 (t) (because some subprocesses may 
be removed by the reduction). 

In particular, S (t{) C 5 ,1 (rf). By Lemma 17, there is a bijection </>i from the session 
labels A of executed event (/(_), A) events in T to the steps at which these events are 
executed in T, and similarly (f>2 for event (/ m_cvcnt (_, _), _) events. Let (p 1 = faofe 1 . 

• If event (/ m - cvont (p,p'), A) is executed at step t, (X,p) E S 2 (T f ) C S 1 ^), so 
event (/(p), A) is executed at a certain step r'. So 02(A) = r and 0i(A) = r', 
so ^'(t) is defined and t 1 = 0'(t). 

• Since </>i and f/)^" 1 are injective, (j) 1 is injective. 
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• If <P{t) is defined, the event event (/ m ~ ovcnt (cry, ax), A) is executed at step r 
by (Red Event). So (A, cry) S S 3 (t), where V T corresponds to the state just be- 
fore the event event (/ m_event (cry, ax), A) is executed. Hence (A, ay) e 5 : (r) 
since S 2 (t) U S 3 (t) C S^t). So event (/(cry), A) is executed at step r' < r. 
We have 2 (A) = r and 0i(A) = r', so <P{t) = r' < r. □ 

Proof (of Theorem 5) For each non-empty jk, when [inj]-^ = inj, let fj^ be the 
root function symbol of pjp We consider a modified process Pi built from P as 

follows. For each jk such that [inj]-^- = inj and event (fj^(M)) occurs in P , we 
add another event event (/4^~ cvont (M, x-^)) just under the definition of variable xj^ 
if Xj£ is defined under event (fjj:(M)) and just under event (fj^(M)) otherwise. 
Let P[ = instr'(Pi). The process P[ is built from Pq as follows. For each jk 
such that [inj]jjr = inj and event (f-j^(M), i) occurs in Pq, we add another event 
event (/4^~ cvcnt (M, Xj%), i) just under the definition of variable xj^ if xj^ is de- 
fined under event(/^-(M), i) and just under event (fj^(M), i) otherwise. (When 
[inj]j^ = inj, Xj^ 6 dom(pj^) where pj^ is the environment added as argument of 
m-event facts in the clauses, so x-jj; is defined either above event (fj^(M) , i) or under 
event (f-j^(M), i) without any replication between the event and the definition of x-^, 
since the domain of the environment given as argument to m-event is set at replications 
by substituting □ and not modified later.) We will show that P[ satisfies the desired 
correspondence. It is then clear that Pq also satisfies it. 

The clauses IZp^init can be obtained from 1Z' p , Init by replacing all facts 
m-event(p, p) with 

m-event(p,z)A f\ m-event(/^ CTCnt (p', p(x^)), i) 

jk such that p—/—(p') and a;— £ dom(p) 

for some i, and adding clauses that conclude cvcnt(/4^ _event (. ..),.. .). 

jk 

The clauses in so\vep^i nit can be obtained in the same way from so\ve' P , Init . So 
we can define a function verify' like verify with an additional argument {xj^-, k , )j k j, k , 
by adding {Xjkjkj'k')~jkj'k' m tne ar g ument s of recursive call of Point V2.3 and replac- 
ing Point V2.1 with solvep^ j nit (event (p, i)) C {H A Afe=i m-event(arg jrfc , ij r k) 
event(aj r p'p ij r ) for some H, j S {1, . . . , to}, r, ij r k, and {pj r k,ijr) £ EnVj k for all 
k} where &rg jrk = a jr p jk if [mj] jk ± inj, and arg jrfe = ffT cvcnt {a jr p' , p ]rk (x jk )) 
if [inj] jfe = inj and p jk = f jk (p'). When verify(c/, {Env-^)-^) is true, verify' (q, 

( Env 3k1jk> ( x Jk)jk) is also true- 
Let Q be an /nzi-adversary and Q' — instrAdv(Q). Let E such that E (a) = a[] 

for all a 6 dom(E ) and fn(P[) U Init C dom(E ). Let us now consider a trace of 
P{, T = S , E , {P[, Q'} S', E', V'_ 

By Lemma 18, for each non-empty jk such that [inj]p: = inj, there exists a func- 
tion 4> l — such that a) if event ( f^r cvcnt (p,p'), A) is executed at step r in T for some 

jk J k 

X,p,p', t, then event (f-jr(p), A) is executed at step (^{t) in T, b) 4* 1 — is injective, 
and c) if ^^(t) is defined, then (^(t) < r. 
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When ijfjj: is a family of functions from steps to steps in a trace, we define tp^- as 
follows: 

• ip° (t) = r for all t; 

• for all jk, for all j and k, = </^. fe o ^ jfe o ^ when [inj]^ = inj and 
%, fc =%^°^ otherwise - 

We show that, if verify' (q 1 , (Envj^)-^, (xj^)j^) is true for 

m I h 

q' = cvcnt(p) => \f event(^) f\ [mj] jk q' jk 

j=l \ k=l 
m — l 7kj 

q L. = event(^) - V A NWfe 
j=i fc=i 

then there exists a function for each jk such that 

PI. For all r, if the event event (crp, A e ) is executed at step r in T, then there exist <r" 
and J = such that a"p' Jr = ap and, for all non-empty k, ^ akojk(I j) (t) 
is defined and event (CT> makejk(]U) , A ¥ ) is executed at step VC akcjk( fc j)( T ) in 
T. 

P2. For all non-empty jk, if [inj]^r = inj and ^j^(t) is defined, then event(p", A^) 
is executed at step r in T, event (/4^~ cvcnt (p2 7 ^P( x Jk))i ^2) i s executed at step 
V^feC 7 ") m an d ^ = f° r some p", p 2 ', A' l5 AJ,, 0, and (p, z) G Env-jj:, 
where is the root function symbol of p-^. (This property is used for proving 
injectivity and recentness.) 

P3. For all non-empty jk, if ^j^{t) is defined, then iPjj:(t) < T - 

The proof is by induction on q' . 

• If q 1 = event(p) (that is, m = 1, Zi = 0, and pi = p), we define j e = 1 and 
a" = a, so that <j"p'j c = op. All other conditions hold trivially, since there is no 
non-empty k. 

• Otherwise, we define tpjk as follows. 

Using Point V2.1, by Theorem 3, P[ satisfies the correspondence 

event(p,i)^ \f event(cr : , r pj-, i jr ) ~~> f\ event(arg J>fe , ij r k)\ (24) 

j — l..m,r \ /c— 1 / 

against /m£-adversaries. 

Assume that event (ap, A) is executed at step r in T for some substitution a. 
Let us consider the trace T cut just after step r. By Correspondence (24), there 
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exist a', j € {1, . . . , m}, and r such that a'<Tj r p'j = up, a'ij r = aX = A, and 
for k E {1, . . . , lj}, there exists Afe such that event(a' arg >fe , Afc) is executed 
in the trace T cut after step r. So the event event (a' arg J>fe , Afe) is executed at 
step Tfc < r in T. In this case, we define ipj k (T~) = r k and r(r) = r. 

If [injjjfe = inj, then event(<r'<Tj r pj k} Afe) is executed as step (f>j k (ipjk(T)) = 

If [injjjfe 7^ inj, then arg J>fe = <Tj r pj k , so event(er'(7j r pjfe, Afe) is executed as 
step^(T) = V°fc(r). 

By construction, if ipj k (T) is defined, then ipj k (r) < r. 

When [injjjj: = inj, we let fj^ be the root function symbol of pj^. 

By Point V2.3, for all j, r, k, verify' {a jr q' jk , (Env^)^, (a^)^) is true. So, 
by induction hypothesis, there exist functions ipj rk such that 

- For all Tfc, if the event event (<r'aj r pj k , Afe) is executed at step 
T fe in T, then there exist o"- rk and J = {jj r k,k)k such that 
v'jrkVjrPjk = o'o 3 rP 3 k and, for all non-empty fc, ^^^k^fa) 
is defined and event(a'j rk a jr p jkmakeMkJ) ,X kk ) is executed at step 

^irfe,makojk(fe,./)( Tfc ) ^ 

- For all non-empty j/c, if [inj]^-^ = inj and ^^^{t) is defined, then 
eveiLt(p'{, Ai) is executed at step r in T, event (/™-_ ovent (j>;,', Op(x ]k - k )) 1 

X' 2 ) is executed at step ^ yfc ^g(r) in T and Oi = X[ for some p'{, p'{, X[, 
X' 2 , 6, and (p,i) e Env jk j%. 

- For all non-empty jfc, if ip jrk jh(T) is defined, then V , j r fejfc( r ) < r. 

We define V jfe jfe( T ) = ^jrk,jk( T ) for r = r ( T )' Then we have ^k#( r ) = 
r jrk ^(ip° k (T))f°vr = r(T). 

Therefore, for all r, if event (075, A) is executed at step r in T, then 

- there exist a', J e — (j k )T, and r such that j e = j € {1, . . . , to}, fr is unde- 
fined for all k ^ e, a'djrp'j = op, and, for all fc, V'makojk(fe j e ) ( T ) * s defined 
and event(a'a jr p ma kejk(fe,j e ), Afc) is executed as step ^ akcMkJe) (r); 

- for all k, there exist <r" rk and J k = {j kk ) kk such that <j'- rk <j jr p jk = 
cr'crjrPjk and, for all non-empty k, V^ ako j k ( fc j: j j ( r ) is defined and 

event(^; fc a jr p makcjk(feI jfe) ,A fcI ) is executed at step ^ akcjk(fcljfc) (r) 

in r. 

We define a family of indices J by merging J e and J k for all fc, that is, J = (j k ) k - 
Therefore, in order to obtain PI, it is enough to find a substitution a" such that 

a "Pj =_v'vjrP'j, <j"Pjk = v'vjrPjk, and <j"p jkJk = o" jrk a 2r p ]kJk for all non- 
empty jk. Let us define a u as follows: 

- For all x E fv(<7j r Pj) U \Jkf v ( (T jrPjk), &uX = cr'x. 
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- For all k, for all x G fv(a jr q' jk ) \ fv(a jr pjk), o u x = o"- rk x. 

By Point V2.2, these sets of variables are disjoint, so a u is well defined. Let 

a = o u Oj r . 

We have a"p'j = <J u <Tj r p'j = cr'a^p'^ and a"p.j k = (J u &jrPjk — v'vjrPjk- 
Since cr"q' jk = cru<yj r q' jk , we just have to show that cF u aj r q' jk = o-j rk (jj r q' jk . 
We have a u aj r pj k = o'ajrPjk = <J j r k a jrPjk- Therefore, if x G fv(&jrPjk), 
then a u x — o" rk x. 5 Hence, for all x G fv((Tj r q' jk ), a u x = cr" rk x, which proves 
that <J u a jr q' lk = o-'- rk a jr q' jk . Hence we obtain PI. 

If [injjj/j, = inj and ipjk{T~) is defined, then event(p'{ , \[) = event(crp, A) is 
executed at step r in T, event (/^ -cvcnt (p2 > @p( x jk)), X' 2 ) = event (c' arg J>fc , 
Afc ) is executed at step V^fc (t) in T, and 0i = A^ for some p'[ = ap, p 2 , X[ = A, 
A 2 = Xk, = cr', and (p, i) = (pj r k,ijr) G Envjk- For all non-empty j'fc, if 
= m .j an d 4>jkjk{ T ) is defined, then event (p", A^) is executed at step 
r in T, event (/™g vont (p 2 ', 9p(x jkJS )), X' 2 ) is executed at step ^.^(t) in T, 
and #i = for some p'{, p 2 , X[, A' 2 , 0, and (p, i) G Env ^ k j k . So we obtain P2. 

If V'jfe(' r ) is defined, then Vjfe( r ) < T - F° r a U non-empty jfc, if i>jkjk( T ) is 
defined, then fpj^iT) < r. Therefore, we have P3. 

Let q = event (p) => VjLi (event (pj) ~* Afc=i [ in j]jfe%fe) > and 9^ = event (p^) ~» 

V2? ASiN^fc^-fc- B y Hypothesis HI, verify'(g, {Env^, (x^) is true, 
so there exists a function for each jk such that PI, P2, and P3 are satisfied. Let 

• By PI, for all t, if the event event (ap, A £ ) is executed at step r in T, then 
there exist a' and J = (jjr)j: such that cr'p'j € = op and, for all non-empty 

*• ^makojk(I,j)( T ) is defined and event ( (T 'P makojk (fc,j), h) is executed at step 

^makcjk(fe,J)( T ) in T - 

Let us show recentness. Suppose that [ m j] make j k (fc j) = m J- We show that the 
runtimes of session(A^j-) and session(Ajr) overlap. We have mako j k (£ j)( T ) = 

^Lkcjk(Ej)( ?/ ' m akc j k(I,./)(^makc j k(Ir,/)( T )))- L * ^ = ^rnakejk(fe [, J) Then 

^makojk(fc j) ( Tl ) * s de fined. Hence, by P2, e\ = event(p", X[) is executed 
at step n in T, e 2 = event(/™^ j} (p^ 0p(x makojkftj) )), A 2 ) is exe- 
cuted at step t 2 = Vv ak cjk(I,./)( T i) in T by a reduction S T2 ,E T2 ,V T2 -> 
5 T2 +i, £V 2 +i, "P T2 +i, a nd 0i = A^ for some p", p 2 , X[, X' 2 , 0, and 
(p,i) G Env makcMk J) . Since the event event(a'p makcjm j) ,X k[ ) is 
also executed at step n = ^ makojk( i|-.j) (r), we have X[ = A^. By 
the properties of 4^.^^, event(/ makcjkft /} (p 2 ), A 2 ) is executed at step 

5 This property does not hold in the presence of an equational theory (see Section 9.1). In that case, we 
conclude by the additional hypothesis mentioned in Section 9.1. 
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^LkcMO)^ 2 ) = ^makcjk(fe,./)(^)- Moreover, event (a'p makojkft J} , A s ) is 
also executed at step </> makejk( fe ;i7) (t), so A 2 = A ¥ . 

By Hypothesis H2, P(£ ma kejk(fc,j)){ / V*} does not unif y with 

P( a; makcjk(fe,j)){ A, /0 when A ^ A', so i occurs in p(x makcjk(I J} ), so 

A fc[ = A 'l = 61 ° CCUrS in ^(^makejkCfe.J))' S0 H\ 0CCUrS in e 2- 

So e 2 is executed after the rule S,E,V U {!*>'} -> 5 \ {A Ir },P,P U 
{-P'{AjT|-/z'}, ! l 'P'} in T. Indeed, since X k r occurs in the event e 2 executed 
at step t 2 , A Ir G SId'{E T2 ) U SId'(V T2 ) where SPi'(P) (resp. Sld'(E)) is the 
set of session identifiers A that occur in V (resp. £). Moreover, Sid' (Eq) U 
S7d'({P{,Q'}) = 0, and the only rule that increases Sid' {E) U SId'{V) 
is S,E,V U {PP'} -> 5 \ {A},P,P U {P'{A/i},PP'}, which adds A to 
Sld'(E) U SId'(V). Therefore, e 2 is executed after the beginning of the run- 
time of session(A^). 

Moreover, e 2 is executed at step r 2 = V' m akejk(fe j) ( Tl ) an ^ ei * s execu ted 
at step Ti in T, with V , ma kejk(fe J) ) — Tl ' so e 2 ^ s execu ted before ei = 
event(pi',A Ir ). 

So e 2 - event(/^™J i/) (p 2 ',^(a ;makejk( fe ;i7) )),A ¥ ) is executed during the 

runtime of session (A^), therefore the runtimes of session(A^|-) and session(Ajr) 
overlap. 

Let us show that, for all non-empty jk, if [inj]^r = inj, then ijtjj: is injective. Let 
ti and r 2 such that ^jj:{ti) = V^fc( T 2). By P2> event (p", A^) is executed at step 
Ti in T, event(/^~ cvont (p 3 ', 0ipi(a^-)), A3) is executed at step ipj^in) in T, 
and = A^ for some p'[, p 3 ', A' l5 A 3 , 0i, and (pi,ii) G Env-^. Also by P2, 
event (p' 2 ', A 2 ) is executed at step r 2 in T, event (/.^~ cvent (p 4 ', 9 2 p2{xjr)), A4) 
is executed at step ipjkfa) in T, and # 2 i 2 = A 2 for some p'{, p", A 2 , A4, 6> 2 , 
and (p 2 ,i 2 ) G #ni>-p Since %(n) = %(t 2 ), 0ipi(a^) = 6 2 p 2 (x—)- By 
Hypothesis H2, this implies that Oiii = 6 2 i 2 , so A^ = A 2 . By Lemma 17, 
n = r 2 , which proves the injectivity of iffj^. 

Let us show that, for all non-empty jk, if [inj]-^ = inj, then </kjt is injective, by 
induction on the length of the sequence of indices jk. 

For all j and k, if [inj]jfe = inj, then <j)jk is injective since (j) l - k , ipjk, and <\> t are 
injective. 

For all non-empty jk, for all j and k, if [inj]^ jfc = inj, then, by hypothesis, 
[injlyfe = m j> so > by induction hypothesis, <f^ is injective. The functions <A^. fc 
and i>jj: jk are injective, so (f>j^ jk is also injective. 

For all jk, for all j and fc, if <hfkjk( T ) i s defined, then <^jt(t) is defined, and 
^jy fc (r) < %(r), since <% jfe (r") < r" and % jfe (r') < r' by P3, when 
they are defined. 
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In particular, for all j and k, if <j>jk (r) is defined, then ipjk (r) < </> e ( T ) = T - 
This concludes the proof of the desired recent correspondence. □ 

Proof (of Proposition 2) We have verify(g, {Envj^)-^) with Envjk = {{p 3 rk,i 3 r) \ 
r G {1, . . . , rij}}, because the first item implies V2.1, V2.2 holds trivially since 
qjk reduces to event (pjk), and V2.3 also holds since qjk reduces to event(pjfe), so 
verify(<jj r qjk, (Env j k jk)jk) holds by VI. The second item implies H2. So we have 
the result by Theorem 5. □ 
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